Topic: Kim Dotcom Mansion: Press conference 2013-01-19 GMT - page 4. (Read 20489 times)

Thx for the pointer.  I'll be keeping my eye on this work!

I don't have any RasPI stuff.  I've got a boatload of old Soekris 4801's that I got off e-bay some time ago with some vague intent of using them for Bitcoin related work.  I used to run bitcoind off my router and it worked beautifully but that was back in the old days when it was still a P2P solution.  Suffice it to say, I've given up on hoping for a peer to be much less than a state-of-the-art server class piece of equipment as time goes by.  Probably even IF blockchain pruning proves to be workable.


I've never been able to download my sub-MB .png after multiple attempts.

I started downloading your image, then went outdoors to do some other stuff.  When I got back the download screen reports 100% and 581.2 Kbps, but I cannot find the file anywhere on my system.

I am on Viasat/Exede satellite which may have something to do with my generally poor results.  High latency connections tend to be poorly tested by developers and network engineers and put extra strain on load balancers and that sort of thing.  My other option is a modem.  I'm pretty used to sucking hind teat out here in the boonies.  Just thankful that I can work at all in the rare instances when I feel inclined to do so.

Another hypothesis is that the evil government is fucking with my network connection.  Fun to ponder, but I kinda doubt it.

Encryption 4 lyfe 

http://arstechnica.com/security/2013/01/cracking-tool-milks-weakness-to-reveal-some-mega-passwords/

I did. 5MB/s for the first 10%, then pause and finished with an average of 3.8MB/s.

Your making me blush, I only released it yesterday though so it is still very alpha go over to mining ( https://bitcointalksearch.org/topic/linux-mining-distro-for-the-raspberry-pi-minepeon-137934 ) if you want to help testing.

Anyway, back on topic, did you manage to use the mega download link?

You da man!  I am dying to see what Avalon used for a chipset and am quite interested in a fully auditable OS and flexible mining image in case I (or someone more competent) wish to undertake work along these lines.

I guess I should look at your link real quick...yup, looking good.

Managed to get a 'somewhat' large file uploaded at about 319KB/s into a hack about account.  If anyone wants to have a go at downloading it here is the link;-

MinePeon-2013-01-22.zip (317.2 MB)
https://mega.co.nz/#!cNYxgRLb!PGTQEXIFiwVc9Im118YSYQqxCDw1hpFjLtbLPKEVadA

I promice the file is safe, it is a Raspberry PI image with cgminer installed on it that I am playing with getting ready for ASIC's. ( http://mineforeman.com/minepeon/ )

Hmm, so now uploading small files works but uploading blk0001.dat kind of has issues. It got to 50% at 1.2MB/s before but now I checked and it is at 43% again. This is not good for their servers if they have to receive many bytes double.

Edit: Now I definitely saw it reach 100% for the blk file and I couldn't wait for anything to happen, so I coded. Next time I checked it was at 42% again and my machine is at its limits all the time.

"You can lead a horse to water, but you cannot make it drink" so they say.

If Mega were terribly interested in subverting their advertised inability to access user's files, or were in cahoots with other parties who had such an interest, a) this is not the most reliable way to do it, and b) we've got other more significant things to worry about.

That said, the appropriate way to deal with any security issue is always to assume the worst as a starting point.  It well could be that Dotcom has copped a plea to get him off the hook on his past indiscretions and has agreed to run a monster honey-pot or something of that nature.  Again, that should be assumed to be the case by anyone playing with the service.  As time goes by, evidence supporting or going against this hypothesis will crop up.

maybe that's the point 

I might mention to anyone thinking about creating a Mega account to put more thought than normal into the password.  It is not just a typical web-site access thing (like bitcointalk.org, for instance.)

The password one chooses becomes an integral part of how access to all files that one stores.  I read somewhere that there is some protection against guessing attacks, but I don't know how it works and I am pretty sure that if one choose 'test123' that would render one's files readable by many many parties.

Currently the ability to change passwords is not implemented.  What one chooses one is stuck with.  I usually default to a non-trivial and unique password for anything I sign up for and did in this case, but had I realized how critical it was I would have been much more careful in choosing the Mega one.

That said, until the service becomes vaguely usable it's a bit of a moot point (unless one is silly enough to upload critical or important data in this early period where there are so many questions swirling around.)

Thanks, now i have understood!

Good clarification.

I would also add that Mega did not send the link.  I did.  The decryption key (again, NOT public/private keypair or 'asymetric' crypto) was generated by me on my own computer using javascript code which Mega delivered to me when I logged on.  Part of the input that this code needed was my password.  Mega could not have generated that key because they don't know my password.

So far, I have not been able to even download the file.  I either get the temporarily unavailable message, or things seemingly start and never complete.

I have played with things enough to figure out how folder sharing seems to work.  It seems that in order to share a hierarchy of files, one needs to input the recipient's e-mail addy (which, presumably, means the recipient needs a Mega account.)  I had hoped that there was some magic by which this was not necessary (like, say, encrypting all files within with a 'folder key' or something along those lines.)  Oh well.

---

I do share Hazek's pessimism that these guys will be attacked on all fronts by the state(s) who will and always have gone to great lengths to make sure that they at least can monitor all of their subjects.  The US has bumped 'can' up to the level of 'do' much much more than I am compfortable with.

I find it noteworthy that Mega has chosen as a centerpiece of their efforts a universal statement of human rights, and one that I believe in fiercely.

Cribbed from Mega's web page:  'Universal Declaration of Human Rights, Article 12'

  "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence. Everyone has the right to the protection of the law against such interference."

Bitcoin would do well to lean on this more than they already do IMHO.  Bitcoin, and crypto-currencies generally, are as much a moral thing to me as anything else.  To be honest, I was almost completely unaware of this 'universal declaration' thing until the Mega goings-on brought it to my attention but generally it is one of those things that one can just sense in their bones is 'right'.  Or at least it is to me.

You don't have to share the decrypt key in the link. You can provide just the link, and it will ask for the decrypt key (for that file). It is not publc/private keypair.

I'm not an expert, but I think that when you share a link of your file, you are basically giving the recipient your public key , and he will decrypt the file using his own private key.

Of course there will always be problems even with this (and am going to be using the same approach as blockchain.info for CIYAM Open) but it is a starting point that can be worked on for improvement (setting up a whole new system of *trust* is not going to be anything easily solved).

Are plugins once peer reviewed actually secure?

Not going to happen.

Just look at hushmail.com and how they were dealt with. As far as I know they did in fact offer actual embedded encryption meaning a user didn't need to do anything outside of merely logging in and sending an email to another hushmail user in order to have his correspondence encrypted. And while this still holds true for the contents of an email account they were since forced by LEAs (I believe at least that this is the case) to add algos that spy on emails in the moment before they are encrypted and sent out.

The only way this will become an industry standard is if some rouge companies around the world like Mega, not in anyway connected with the US, decide to take on and resist huge pressure by various states grasping for power and engage in a constant legal battle of survival and you can call me a pessimist but I don't see many people lining up to voluntarily seek a beating like Kim Dotcom is even though I sincerely wish there were..

Test/Update.  Things are working better today.  A long way from usable, but better.

If anyone is interested, here is a URL to an image with the key embeded.  Optionally, up to the bang could be given and the remainder (the decryption key part) could be sent via e-mail (or, say, single sideband radio for instance.)

https://mega.co.nz/#!Z8tQgbpC!Nv3Hlnxlh6p7tl3jGPU5Rlgsw4w7Cl4OOPdsMnkjDOQ

At the risk of (further) spamming the forum, I just want to see if I could make this an image:



edit: another test:

https://mega.co.nz/#!Z8tQgbpC!Nv3Hlnxlh6p7tl3jGPU5Rlgsw4w7Cl4OOPdsMnkjDOQ


[/quote]

Why it doesn't ask me the key for decrypting? If the key is embedded in the link, how mega could act as it doesn't know the key?

The critiques I've seen so far strike me as mainly FUD and bunk.  If someone hacks into Mega's servers they can do a lot less damage than to almost anyone else's systems.  If people can attack https via mitm attacks and such, a lot of institutions have some big problems.  As for delivering javascript, seems to me that if this turns into a big problem Mega will be able to publish certified checksums or have some trusted third party do it which will make such an attack that much more difficult.

I personally am looking forward to accessing the service sans browser and javascript at all and as best I can deduce so far, this should be quite doable.  IOW, I think (hope) that delivery of the javascript in real-time is more of a convenience thing than a necessary function and the code could be implemented in a more simple, static, and auditable form.  I never had any confidence in browser plugins (for no particularly well researched reason though.)