Privacy Blog

“By continuing the process of inflation, governments can confiscate secretly and unobserved an important part of the wealth of their citizens.” – John Maynard Keynes, writing about the effects of a seemingly small amount of inflation every year.

File Storage Web Site was Hacked but the System’s Design Means No User Data was Compromised

megalogoA hacker group claims to have obtained source code and admin accounts for the file-sharing site, formerly owned by internet entrepreneur Kim Dotcom. The hacker group, known as the Amn3s1a Team, claims they also obtained internal documents from the company’s servers, by exploiting an escalation of privilege vulnerability. Supposedly, the hacker group could access the data stored on the servers.

There is but one problem (for the hackers): all the data is unreadable.

Part of what makes MEGA so special is its end-to-end encryption. Mega utilizes in-browser, symmetric key encryption. All data to be stored in is first encrypted in the users’ computers before being sent across the Internet to the servers. Being encrypted means that the only ones who can read the data are the users who created the encryption keys. The employees of cannot read the (encrypted) data nor can government snoops nor can hackers anywhere in the world. employees cannot even see so much as the file names, and neither does anyone else who might gain access to the files. Every file or folder anyone uploads has its own key, again generated in part from the encryption key created by the user. You’re the one sharing file keys; Mega couldn’t share your keys even if it wanted to. employees don’t know what you’re storing on the servers, by design.

Since even the file names are invisible to employees, the company cannot even delete files. It has no method of identifying individual files to be deleted.

In fact, there is a method of recovering a forgotten password/encryption key if the user saves a secret key when the account is created. If the user ever loses that recovery key, he or she is locked out forever. There is no method for the employees to recover a lost password/encryption key.

Mega didn’t invent encryption or anything. It’s not the first cloud storage service to use it either. It just happens to be implementing it on a wide scale, and in a particularly savvy fashion. In my opinion, all cloud file-storage services should emulate’s example. This isn’t rocket science, a few other file storage services do the same, including SpiderOak, Tresorit, and perhaps a few others. Why don’t ALL the file storage services do the same? Where do you want to store your files? offers 50 gigabytes of storage free of charge to anyone who wants it.


Categories: Encryption, Online Privacy & Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.