Re: [liberationtech] Mega
Seems like the good mr. Bubbles is at least partially putting his money where his mouth is. http://thenextweb.com/insider/2013/02/01/kim-dotcom-puts-up-13500-bounty-for-first-person-to-break-megas-security-system/ Have a go, everyone! Best /P On 23 January, 2013 - Bernard Tyers - ei8fdb wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23 Jan 2013, at 12:45, Eugen Leitl wrote: On Wed, Jan 23, 2013 at 07:40:13AM -0500, bbrewer wrote: All the money in the world, and still, so many listed problems on this new service. Malicious intent, or just complete rush to give the finger to the authorities? You don't seem to know Kim dotcom Schmitz well. You bet me to it. IMO, this is a two fingers from Kim Dotcom to the US government, and a PR stunt to garner support from his new host country of New Zealand. He feels hard done-by (and he has a point). It's a PirateBay.org style campaign and will probably be resonably successful. The best outcome possible is to point out the issues with it (as is being done), explain why they are important, and hammer those messages through in the media. Those messages will miss some people (as they will only see free and secure), but that's always the way. bernard - -- Bernard / bluboxthief / ei8fdb IO91XM / www.ei8fdb.org -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQ/+MOAAoJENsz1IO7MIrrAa8IAJDPY7eDe2Dz1iw1FJo3Zr08 c8uRiyjJHPmqZt1194A7hOCax+eP+LwkFoa7DDp4NoXw8O4Frc8DogTXD+soxjDh 4doC2y8AV9y6AC2HUMUrkyEu9M7bra9o9Cbos+sdxLptnL8qnvXE0pWTeOrPiBgZ uu+Dq4vGyni0nZoXv7XTNox5lE/Rp0bC+9mSNZy1JmB1o7h1RyotU6OtA0ydLK94 XvaGIyaG/PcBqz/zXjDNmRw4oI84UaYsy23gIOS+yW4D4vtwRs0lqMiZjvyJskgU JYg6Oh+fwsVIJ1H7iJ9JhqMMuaWwQZxPU/w5qirZQlVD8x1mFE2I9G4HMfHqcMo= =XOUN -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Petter Ericson (pett...@acc.umu.se) Telecomix Sleeper Jellyfish -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
Mega needs an optional Chrome and Firefox plugin -- what Crypto.cat did, but it could be optional. They also need a desktop client like Dropbox so I can encrypt my files automatically prior to uploading. On Sun, Jan 27, 2013 at 1:56 AM, Jerzy Łogiewa jerz...@interia.eu wrote: More danger with Mega because more users. A hot subject means security researcher also get noticed by bloggers and newspaper :-) -- Jerzy Łogiewa -- jerz...@interia.eu On Jan 21, 2013, at 11:52 PM, micah anderson wrote: I've always wondered why something like Mega gets a lot of attention and people audit it pretty much immediately, but something like Retroshare, which has been around for a while never has the eye of Sauron pass over it. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
Randolph D.: *www.cloudfogger.com* or: http://retroshare.sf.net 2013/1/27 Brad Beckett bradbeck...@gmail.com Mega needs They also need a desktop client like Dropbox so I can encrypt my files automatically prior to uploading. I believe Cyphertite will encrypt your files prior to uploading. Tahoe-LAFS? -- scarp -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
Yes exactly what I was thinking, but MegaUpload needs to come up with Mac, PC, and Linuxdesktop clients -- stat. On Sun, Jan 27, 2013 at 2:20 AM, scarp sc...@tormail.org wrote: Randolph D.: *www.cloudfogger.com* or: http://retroshare.sf.net 2013/1/27 Brad Beckett bradbeck...@gmail.com Mega needs They also need a desktop client like Dropbox so I can encrypt my files automatically prior to uploading. I believe Cyphertite will encrypt your files prior to uploading. Tahoe-LAFS? -- scarp -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
On Mon, Jan 21, 2013 at 11:48:38PM +, Jacob Appelbaum wrote: I'm not clear on most of the Retroshare design. Is there a threat model? I share this lack of clarity. One of the things that I perceive as a significant threat to software like this is full compromise of a trusted party's system because, well, it happens to people all day every day. It's not at all clear to me that Retroshare's authors have taken this into account. (That doesn't mean that they haven't: perhaps they have and I just haven't found it yet.) ---rsk -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
On 01/23/2013 03:41 AM, Alex Comninos wrote: Cracking tool milks weakness to reveal some Mega passwords Dotcom's Mega aids crackers by sending password hashes in plain-text e-mail. Really! http://arstechnica.com/security/2013/01/cracking-tool-milks-weakness-to-reveal-some-mega-passwords/ o_0 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech Mega seems also to have an exploitable bug for email spaming. A lot of bloggers report this. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
On Wed, Jan 23, 2013 at 07:40:13AM -0500, bbrewer wrote: Andreas Bader noergelpi...@hotmail.de wrote: Mega seems also to have an exploitable bug for email spaming. A lot of bloggers report this. All the money in the world, and still, so many listed problems on this new service. Malicious intent, or just complete rush to give the finger to the authorities? You don't seem to know Kim dotcom Schmitz well. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
Eugen Leitl eu...@leitl.org wrote: You don't seem to know Kim dotcom Schmitz well. I remember seeing him on the gum ball (3000) rallies (in video, not lucky enough to partake) , I believe before he was 'dotcom'' and realizing how arrogant he is/was/etc. I just think it'd be a way better finger flicking moment if the service was in fact 'settled' and functioning in a way that actually did such promised Items and actions as the pamphlets. Sigh. -- Sent from my Android tablet with K-9 Mail. Please excuse my brevity. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
On 01/23/2013 01:40 PM, bbrewer wrote: Andreas Bader noergelpi...@hotmail.de wrote: Mega seems also to have an exploitable bug for email spaming. A lot of bloggers report this. All the money in the world, and still, so many listed problems on this new service. Malicious intent, or just complete rush to give the finger to the authorities? I guess the 2nd one. But the great thing with kim dot com is the way how he gives the finger to the authorities. The good thing is that he's at least not the biggest ***hole in the world of IT. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23 Jan 2013, at 12:45, Eugen Leitl wrote: On Wed, Jan 23, 2013 at 07:40:13AM -0500, bbrewer wrote: All the money in the world, and still, so many listed problems on this new service. Malicious intent, or just complete rush to give the finger to the authorities? You don't seem to know Kim dotcom Schmitz well. You bet me to it. IMO, this is a two fingers from Kim Dotcom to the US government, and a PR stunt to garner support from his new host country of New Zealand. He feels hard done-by (and he has a point). It's a PirateBay.org style campaign and will probably be resonably successful. The best outcome possible is to point out the issues with it (as is being done), explain why they are important, and hammer those messages through in the media. Those messages will miss some people (as they will only see free and secure), but that's always the way. bernard - -- Bernard / bluboxthief / ei8fdb IO91XM / www.ei8fdb.org -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQ/+MOAAoJENsz1IO7MIrrAa8IAJDPY7eDe2Dz1iw1FJo3Zr08 c8uRiyjJHPmqZt1194A7hOCax+eP+LwkFoa7DDp4NoXw8O4Frc8DogTXD+soxjDh 4doC2y8AV9y6AC2HUMUrkyEu9M7bra9o9Cbos+sdxLptnL8qnvXE0pWTeOrPiBgZ uu+Dq4vGyni0nZoXv7XTNox5lE/Rp0bC+9mSNZy1JmB1o7h1RyotU6OtA0ydLK94 XvaGIyaG/PcBqz/zXjDNmRw4oI84UaYsy23gIOS+yW4D4vtwRs0lqMiZjvyJskgU JYg6Oh+fwsVIJ1H7iJ9JhqMMuaWwQZxPU/w5qirZQlVD8x1mFE2I9G4HMfHqcMo= =XOUN -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
It would be nice if it actually worked. I cannot successfully upload nor can anybody I know. It appears almost no better then OwnCloud. Big disappointment as of now, but I'm going to wait and see what is later developed. Brad Beckett On Mon, Jan 21, 2013 at 4:06 AM, Sam de Silva s...@media.com.au wrote: Hi there, I wonder if there's any feedback from this list on Kim Dotcom's Mega project - www.mega.co.nz Can it be the secure alternative to Dropbox? Best, Sam -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
From what I've seen, it uses insecure means of encryption -- using Math.random and mouse input to encrypt documents. ~Griffin On Mon, Jan 21, 2013 at 8:02 AM, SAM ANDERSON blackeduca...@mac.com wrote: From what I have read, Mega is still being built. It's supposed to be ready for the public a few days from now. Sam Anderson -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
Mega is using server-side Javascript for crypto, so you're trusting them just like you'd trust Dropbox. Other people have reported issues with their implementation, including using weak randomness. I skimmed through their implementation and found some portions that indicate they don't know what they're doing, specifically how they're handling authenticated encryption. I wouldn't use Mega in it's current form. On Mon, Jan 21, 2013 at 4:06 AM, Sam de Silva s...@media.com.au wrote: I wonder if there's any feedback from this list on Kim Dotcom's Mega project - www.mega.co.nz Can it be the secure alternative to Dropbox? -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
Hasn't Retroshare also been under criticism for a lack of audit? NK On Mon, Jan 21, 2013 at 2:42 PM, Randolph D. rdohm...@gmail.com wrote: the secure alternative is htp://retroshare.sf.net without payment, without google chrome sponsoring, without central servers. a full alternative. 2013/1/21 Sam de Silva s...@media.com.au Hi there, I wonder if there's any feedback from this list on Kim Dotcom's Mega project - www.mega.co.nz Can it be the secure alternative to Dropbox? Best, Sam -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
micah anderson: Nadim Kobeissi na...@nadim.cc writes: Hasn't Retroshare also been under criticism for a lack of audit? I've always wondered why something like Mega gets a lot of attention and people audit it pretty much immediately, but something like Retroshare, which has been around for a while never has the eye of Sauron pass over it. I've wondered the same thing. I think it is because it is small, makes wild claims, it calls a lot of attention to itself and is written in a context that many people seem to love to hate. So, to those of you who immediately tore Mega apart when it was launched, I ask you... why did you swarm over the latest new thing that nobody has even used, but haven't touched something like Retroshare (or even more core componants that we depend on)? Why does something like Mega get all the attention of crypto researchers, but nobody has bothered to look at Retroshare? I'm not sure that it has no one looking. It uses GnuPG/OpenPGP, it uses email (or a manual paste) to connect up users, it doesn't seem to provide any anonymity for discovery of friend to friend connections, what little anonymity it provides is called TurtleHopping ( http://retroshare.sourceforge.net/wiki/index.php/Documentation:TurtleHopping ) and it is questionable at best, and so on. In any case, lack of audit means only one thing - it should be audited. I wonder why nobody has. Other than weird claims like (There's absolutely no way to know where turtle packets come from and where they go - http://retroshare.sourceforge.net/wiki/index.php/Documentation:TurtleHopping#Anonymity_issues apparently the older version of https://retroshareteam.wordpress.com/2012/11/03/retroshares-anonymous-routing-model/ ). Their anonymity model is... not impressive ( http://en.wikipedia.org/wiki/Retroshare#Anonymity) from what I've seen. I'm not clear on most of the Retroshare design. Is there a threat model? Or the way they wish to model an adversary? What bugs would be out of scope (gnupg bugs, openssl bugs, libssh bugs, etc) and what would be reasonable to report? The project seems like it is nice but it is seriously odd. For example, consider this: Friend to Friend (F2F) is the new paradigm after peer-to-peer (P2P). In a P2P network you connect to random peers all over the world. A F2F network only connects with to your trusted friends. This makes the network significantly more private and secure. I'm fairly certain this isn't a new paradigm... There are lots of questions that come to mind when looking at their wiki and at their design documents. For example with these long term keys, they support a model of sharing with friends, what happens if the keys are compromised? Does it provide forward secrecy, Non-repudiation or repudiation? I admit, I didn't look closely but a strongly identifiable file sharing network sure has some important design considerations. A few other quick issues that come to mind include the use of Speex for VoIP (Variable bitrate operation? ruh roh!; the authors of Speex suggest using Opus as it has support for both CBR/VBR), they seem to have a lot of older versions of third party software hard coded into their build files ( see openpgpsdk.pro for more details ), they seem to play fast and loose with some traditionally unsafe C/C++ stuff rather than defensively, they seed some RNG use with time (srand(time(NULL)); in services/p3service.cc:240 - it might be better to use OpenSSL's random byte generating functions) and so on. If anyone wants to dive in - the source code is easy to grab: svn checkout svn://svn.code.sf.net/p/retroshare/code/trunk \ retroshare-code I'm not sure that this counts as anything more than a giggle test and I did giggle a bit. Though I appreciate the ideas and the effort, I'm fairly certain I won't use it or suggest using it to others without deeper auditing. Hope that helps, Jake -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Mega
On 01/21/2013 08:42 PM, Randolph D. wrote: the secure alternative is htp://retroshare.sf.net http://retroshare.sf.net without payment, without google chrome sponsoring, without central servers. a full alternative. 2013/1/21 Sam de Silva s...@media.com.au mailto:s...@media.com.au Hi there, I wonder if there's any feedback from this list on Kim Dotcom's Mega project - www.mega.co.nz http://www.mega.co.nz Can it be the secure alternative to Dropbox? Best, Sam -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech Retroshare is great, but not an alternative. Retroshare is torrent software with PGP encryption, and Mega is a one click hoster. Of course you can never trust a company like Mega with your personal data, but if you encrypt them then it should be no problem. I hope that there's soon a software like cloudfogger, but for Mega. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech