Mega is not secure

It’s a bit of old news, but since the default way of sharing if Mega, I think it’s relevant. Mega is not as secure at it claims to be. I don’t know of any alternatives.

Research published on Tuesday shows there’s no truth to the claim that Mega, or an entity with control over Mega’s infrastructure, is unable to access data stored on the service. The authors say that the architecture Mega uses to encrypt files is riddled with fundamental cryptography flaws that make it trivial for anyone with control of the platform to perform a full key recovery attack on users once they have logged in a sufficient number of times. With that, the malicious party can decipher stored files or even upload incriminating or otherwise malicious files to an account; these files look indistinguishable from genuinely uploaded data.

This would be a problem if I wanted to store my personal data there, but for porn I really don’t care.
Let 'em have it - we’re all about sharing :wink:


Sure, but most porn is copyrighted material and most places it’s illegal to share copyrighted material. Some porn companies does aggressively threatens to sue people over copyright infringement. So I think people at least to be aware of the risks. And since it would be trivial to link your name to the porn you share on Mega you are taking a risk.

Malibu Media, which runs the site “x-art,” files civil complaints in courts around the country. Each complaint accuses an anonymous Internet user of illegally downloading and sharing one or more of Malibu’s movies. But the complaint goes further: Malibu attaches a list of other movies and files that Malibu accuses the user of copying illegally. Some of them have titles that are far more lewd and embarrassing than the titles of Malibu’s own movies.

Sure, but Mega (or anyone with control of the platform) being able to decrypt files has no impact on that imho.

I stopped reading Ars Technica years ago. They went full woke after being bought by Condé Nast. This could be just an article to damage MEGA’s reputation.

1 Like

You can read the reasearch paper here:

Abstract—MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data. MEGA claims to offer user-controlled, end-to-end security. This is achieved by having all data encryption and decryption operations done on MEGA clients, under the control of keys that are only available to those clients. This is intended to protect MEGA users from attacks by MEGA itself, or by adversaries who have taken control of MEGA’s infrastructure. We provide a detailed analysis of MEGA’s use of cryptography in such a malicious server setting. We present five distinct attacks against MEGA, which together allow for a full compromise of the confidentiality of user files. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks. Four of the five attacks are eminently practical. They have all been responsibly disclosed to MEGA and remediation is underway. Taken together, our attacks highlight significant shortcomings in MEGA’s cryptographic architecture. We present immediately deployable countermeasures, as well as longer-term recommendations. We also provide a broader discussion of the challenges of cryptographic deployment at massive scale under strong threat models

This is not something Ars Technica made up.

Less than 1% of MEGA links I’ve come across have a decryption key and aren’t encrypted in the first place, anyone with the link can access the data. …and even if an encryption key is used, people posting the content publicly are supplying the key to share the data, making it pointless anyway. …so it only really matters if it’s personal or business data, such as a backup of your financials/tax data/passwords/secrets or if you were dumb enough to let your plans to do high cri mes of taking over the world, baking up dee rugs, and decided to let that float across the web, through a cell phone network, etc. Likely the latter would be best on either paper locked up or on a computer or other device that never touches the internet once encryption software is downloaded. I’m convinced that’s the only true way to know the custody of your data is to never let it ‘see outside’.

You must be new, Welcome to the internet. Don’t enter ANY of your personal information into the internet because even if it is advertised as “secure” for now, it likely wont be for long. If you really care about security you should be disconnecting all your devices from the internet once you’re done using them. OR you can do what nuclear power plants do and create an “air gap”, and never connect your device to the internet at all. But if you think you can add information to the internet and have it be “secure”, you’re sadly mistaken. It’s just not interesting or important enough to be gone after, until it is. But for now the dozens of people that might see your mega is not a priority when you have tens of thousands accessing eporner or spankbang.

There is no secure cloud, no secure p2p file sharing, no secure internet, no secure world. All you can do is inform yourself of the dangers, create ways to protect your self from said dangers, and update those protective devices as bad actors improve their methods.

And if you think this is bad. Google AND Apple both scan every image that you store in their cloud, send via email, or send via text for certain illegal activity. If detected they will not only ban you from using their services, they can/will/have reported people to law authorities. Many parents learned this during covid when they didn’t want to take their children to the dangerous hospitals, so instead dealt with things like diaper rash by sending their doctors images via text or email, only to get banned from those services shortly after for distributing pedophilia. And while they probably do scan for other illegal activities, this is the one that was reported on because of those innocent parents getting falsely flagged.

Then you have the fact that they are incentivized NOT to have total security. I don’t pay for Gmail or any other google services. They’re losing money on me. But if I do something illegal, they can report it, and then the law enforcement agency can request access to all that information, and they will provide it. This is happening so much that the big tech companies went before congress and told them they need to charge a processing fee to pay for the staff needed to keep up with all the demands law enforcement is making for access. So now Google charges $10,000 to access someone’s account. If they made those accounts “secure”, they would lose that revenue stream.

Facebook disclosed performing experiments on their users. They would suggest certain posts to influence moods before displaying certain ads to see if they were more likely to buy when in a changed mood. It worked. To put this into perspective. The facebook app on your phone is listening. It hears you having an argument with your spouse. It shows you posts about other people displeased with their spouse. And then shows you ads for Tinder. But that example is only theoretical. All facebook admitted to doing was successfully experimenting on a few million of it’s users. I’m sure afterwards they took what they learned, locked it in a box, and never touched it again.

The point of all this is the internet is a dangerous place. You’re worth something to EVERY website you visit. They’re all trying to get as much out of you as they can, and the more you give them, the easier it is for them to do that. The only actual “security” out there, is not participating at all. But if you’re going to illegally upload porn to the internet and then complain that you might get caught and punished, you probably shouldn’t be on the internet anyways.

You must be new to cybersecurity, because you write like someone who has never worked a day in the field. The point is not to remove all risk, the point is to be aware of them and mitigate them as must as possible.

Even that is not guaranteed to be more secure. It can even be less secure as outages to create a potential vulnerability on its own.
Your modem might want to communicate with the ISP server again, and instead of having a constant stream (which is harder to disrupt), it now tries to initiate a fresh one, which is often easier to manipulate. Your modem might because of that get infected. This is a basic thing in any encrypted protocol (and i dont even know how much modems rely on encryption for these things, but at least some basic security features should be there).

Its very common for modems to get completely new information from providers when offline for too long (you often get a new ip address), so identifying that such thing could have happened becomes even harder.

Dont tell things about security if you dont know what you are talking about as while you think its better, it can harm. Security is (extremely) difficult and the most common thing to do (which is recommended) is to leave these things to experts and let them manage it for you. This includes your modem. Your ISP has security as a passive task, they will always be busy maintaining it, its better to trust them on that end.

And yes, its nitpicking on a certain point, but this point is exactly why making extreme statements is just a bad idea. Its often just not true.

So what you’re saying is if you’re going to participate in the internet there might be dangers? I guess that might be why I said “The only actual “security” out there, is not participating at all”. You listed a vulnerability I did not. Yes it’s nitpicking. But the point of my post was not to give specific directions on how to protect yourself. The point of my post was to educate yourself, especially if you’re going to partake in illegal activities.

The internet is a dangerous place. Even if i could type 1,000 words per minute, and never sleep, you still wouldn’t have enough time in a lifetime to write about every danger currently on the internet and how to protect yourself from them. Let alone the dangers yet created. You should never take actions based on the advice of 1 person on the internet either. That’s how idiots end up trying to recharge their iphones in the microwave.

The problem is that ‘not participating at all’ is not possible in most cases. Even if you never even touch a computer, your personal information can still get leaked. And it gets worse since now you have no control about anything at all, you have to rely on 3rd parties for some of the basic things.

Governments require many things to be digitialy provided, even if you send a physical letter, the first thing that gets done is scanning and converting it to digital. Thats an additional step towards using the governmental provided stuff. It allows someone to modify the document before scanning, someone has to attach it to your identity (which is vulnerable to mistakes). And scanners are often ignored as a security risk by many people so they are rarely updated and highly vulnerable to malware.
This is often less safe than just using the website of the government.

Sure, you can decide to move towards some remote location that is disconnected from the rest of the world, but to get there, you will have to interact first. And by that still face risks.

Again, its just not a good statement as in the current society its not true.

I am in San Diego, and know several people here who do not partake in the internet. They have no computer, no cell phone, no internet, no smart tvs, etc. It’s easier than most people think without moving to some cabin deep in the woods. Yes, you’re in a digital database with the government. They’re also in phantom databases at google and facebook as well. You really are missing the point. There is NO SUCH THING AS SAFE! Life is full of risks, and there is no way to not be at risk for something. So you educate yourself about the dangers, decide which risks are worth taking, and create defenses against the rest. Some people sky dive, some ride motorcycles, and some get anxiety just crossing a street.

And here you contradicted yourself which caused the responses in the first place.

And yes, true safety doesnt exist. And yes, those quotes arent enough to display a nuance here, not all languages and nations use those quotes the same way.