Since the illegal closure and take-down of Megaupload in January, 2012 people were anxious what might happen with the case and whether a new Megaupload will follow. Kim Dotcom has already announced the relaunch of Megaupload in November, 2012 and an exact year after the raid the new Megaupload now simply called MEGA (MEGA Encrypted Global Access) has launched.
What MEGA supposedly makes different from every other file hosting service such as Dropbox, Google Drive and more is the built in and mandatory end-to-end encryption. A reason for them to implement this is of course so they can have plausible deniability and claim that they have no idea what kind of content is hosted on their service. A side product of that is also privacy for their users hence MEGA also calls itself "The privacy company". Is it really, though?
A quick look at the Security & Privacy page of their Help center shows this:
"All encryption is end-to-end. Data uploaded is encrypted on the uploading device before it is sent out to the Internet, and data downloaded is decrypted only after it has arrived on the downloading device. The client machines are responsible for generating, exchanging and managing the encryption keys. No usable encryption keys ever leave the client computers (with the exception of RSA public keys)." - MEGA Help center
That sounds pretty awesome. Real end-to-end encryption, that seems pretty safe to me. Let's take a closer look. They are kind enough to lay out their exact process with their MEGA API on the developers page. There it reads:
"Each user account uses a symmetric master key to ECB-encrypt all keys of the nodes it keeps in its own trees. This master key is stored on MEGA's servers, encrypted with a hash derived from the user's login password." - MEGA API
Eh? So, the master key is after all stored on MEGA's servers? I'm confused.
"In addition to the symmetric key, each user account has a 2048 bit RSA key pair to securely receive data. Its private component is stored encrypted with the user's symmetric master key." - MEGA API
What? So... the symmetric master key is stored on MEGA's servers albeit "encrypted with a hash derived from the user's login password". Well, they can grab my password every time I log on or simply save it in plain text in the first place. The private component of my RSA key pair is also stored on their servers albeit "encrypted with the user's symmetric master key", where we just stated why that is broken. But wait a minute. Didn't it clearly state "No usable encryption keys ever leave the client computers" in their Help center? Oh, I see. They are encrypted, hence they are obviously not "usable". Yes. That makes sense.
Now to be honest with you, I'm by no means an expert in cryptography nor have I checked any of their source code and what it actually does. But you can all get down to it with a simple assumption and raising one single question.
Let's assume all the encryption and decryption is in fact done on the client side only. How is it possible to simply switch browsers and/or computers and use all of the encryption and decryption functions without transferring any keys between them whatsoever? Because all of your keys are stored on their servers whether they are stored "encrypted with a hash derived from the user's login password" doesn't matter. They are stored there.
That concludes that in theory it is totally possible for them to decrypt all your files, whether they do that or not is up to your belief and imagination, the ability stands.
How does the upcoming case against MEGA look like? Judge: "Is it true that you actually were able to decrypt and read all the files hosted?" - Kim: "Yes, but we never did."
Real end-to-end encryption does not require you to trust the file hosting service. MEGA does.
"The privacy company"
Welcome to the United States of America (USA)! Please step right through our national mascot: the Stars and Stripes metal detector, probably made in China, India, Pakistan or some (other) third world country, who cares! We are proud of it and thus you have to be too!
I've been to the USA recently and I am rather disappointed with that trip. It's not the first time I visited the USA, I've been there before a couple of times, first in 1993 in fact. What I want to talk about is mostly my opinion of the USA turning into a police and surveillance state, which surely is getting worse and worse by the day. My last trip before this one this year was in 2007, where they already took fingerprints and a photo of everybody wanting to get into the USA, be it vacation, business trip or anything else. You want to come in? They shall have your fingerprints and a photo. Now if I recall correctly, back in 2007 they "only" wanted your thumb prints of both hands. This time they wanted prints of every finger of both hands. Do I have a problem with that? Yes, I do. In my opinion it is ridiculous to have everybody under this general suspicion of whatever they are afraid of (TERRORISM! OMG!) and justify taking prints this way.
What is also new for me is their online registration form (Electronic System for Travel Authorization (ESTA)) which you have to fill out, basically to apply for entry in the first place (instead of a visa). Enter all your personal data into it, including passport number and answer some questions. Like for example:
"Do you have a communicable disease; physical or mental disorder; or are you a drug abuser or addict?" - ESTA
Or my favorite:
"Have you ever been or are you now involved in espionage or sabotage; or in terrorist activities; or genocide; or between 1933 and 1945 were you involved, in any way, in persecutions associated with Nazi Germany or its allies?" - ESTA
Why, yes, of course! I've been born after 1945, which I just told you, but surely I was associated with Nazi Germany. But hey, before even answering these questions, check this out:
"On March 4, 2010, President Obama signed into law the Travel Promotion Act (TPA) of 2009, Pub. L. No. 111-145. The Act directs the Secretary of Homeland Security to establish a fee for the use of the ESTA system, comprised of $10.00 for each VWP applicant receiving authorization to travel to the United States and $4.00 for the processing of the ESTA application. Applicants who are denied authorization to travel to the U.S. under the VWP will only be charged $4.00. The fee may only be paid by credit card. Applicants may save the application data and return to the application at a later date to enter the payment information. However, the application will not be submitted for processing until all payment information is completed." - ESTA
Nice. $14 going directly to the U.S. Homeland Security. And of course it may only be paid by credit card, what else? That way they also have your credit card info and can check all your previous transfers. After all you might be funding Al-Qaeda and just don't want to mention it.
Oh well, first rages were had. But anyway, finally I arrive there. The usual patriotism is the first thing that hits you at the airport: big USA flags, a store with all kinds of patriotism items (more on that later). Don't get me wrong, patriotism to a certain degree is not that bad in my opinion, however in the case of the USA it just seems hypocritical. Why? More on that in a bit. The patriotism obviously continues when I was at an American football game: "Please rise and take off your hats for the national anthem of the greatest nation in the world." (something along that, not an exact quote). Even the stadium logo, which was illuminated only in green before, turned into a Stars and Stripes animation. Of course it wouldn't be a proper American football game without some U.S. Army veterans showing up during small breaks so everybody can cheer for them.
What made me rage the most, though, is the fear of terrorism (OMG!) everywhere. Go up the Empire State building? Metal detector, x-ray! Go up the Rockefeller Center? Metal detector, x-ray! Hence the new national mascot of the USA: the Stars and Stripes metal detector. Visiting a museum? Backpack check! Visiting an American football game? Backpack check! Look up the ceiling in any building: security cameras! Look up the sky in New York City: security cameras on light poles! Oh, if you could just see this George Orwell...
Something that also made me shake my head was the American Museum of Natural History. At one point they show a movie how humans are destroying the earth with their lifestyle, logging rain forest, etc. And then there is the planetarium show "Journey to the stars" which shows how great our universe is and how it was created. In the credits of the show it mentions that it was "made possible through the generous sponsorship of"... wait for it... Lockheed Martin! One of the world's largest "defense" (read: military weapons) contractors. How ironic is that?
Anyway, coming back to my previous point about hypocritical patriotism. Let's just have a look at those two products:
Which of these products was proudly made in the USA? Which wasn't? Click the products to find out. (Sorry for the bad image quality)
And this is something you will find everywhere all over. Buy a model Statue of Liberty for your living room at the patriot store at the airport, or anywhere else, it doesn't really matter: it is made in China. Obviously most products these days are made in China or (other) third world countries since the actual labor there is way cheaper and capitalists always want to have the most profit they can get. I get that. But how can you justify producing patriotic products like a model Statue of Liberty or fan equipment for American football teams there? Pure hypocrisy.
Original article photo cc by-sa Daquella manera
Personally, I'm a fan of sarcasm, I just can't get enough of it. Some people are really good at it, makes me laugh sometimes, sometimes it just makes me sad however.
So as a short introduction to understand what I'm going to post, in case you're not familiar with the history of East Germany:
There once was a wall between West and East Germany (no shit Sherlock). Do note that all the quotes I'm posting are originally in German (see the original at the end of each quote).
About two months before the wall was built, an Eastern German politician, named Walter Ulbricht, said the following:
"Nobody has the intention of building a wall." ("Niemand hat die Absicht, eine Mauer zu errichten.") - Walter Ulbricht, 1961
A true master of sarcasm.
Lately there seems to be another politician mastering the arts of sarcasm in Germany, namely Wolfgang Bosbach. I've collected quite a few quotes of him already, so let's just take a look.
"Nobody wants to establish a surveillance state in Germany." ("Es hat niemand vor, einen Überwachungsstaat in Deutschland zu errichten.") - Wolfgang Bosbach, 2007
"Nobody wants to introduce scanners in Germany which optically expose the passenger." ("Niemand will in Deutschland Scanner einführen, die den Passagier optisch entblößen.") - Wolfgang Bosbach, 2010
And his latest addition, just few days old:
"We also don't want that the German armed forces will be converted to some sort of police assistance which can always be called when police forces of the German federation and states are overloaded." ("Wir wollen auch nicht, dass die Bundeswehr zu einer Art Hilfspolizei umfunktioniert wird, die immer dann gerufen werden kann, wenn die Polizeibehörden des Bundes und der Länder überlastet sind") - Wolfgang Bosbach, 2010
Convincing, if you ask me.
Sometimes however he kind of gets lost in his own scheme and actually says things how he truly intends them:
"We badly need a definite legal basis for law enforcement agencies to monitor encrypted communication of terror suspects via the Internet." ("Wir brauchen dringend eine sichere Rechtsgrundlage für die Strafverfolgungsbehörden, um auch verschlüsselte Kommunikation Terrorverdächtiger über das Internet überwachen zu können") - Wolfgang Bosbach, 2010
This country clearly needs more security! OMG, we're all going to die because people blow themselves up all the time!
On a totally unrelated note: Choot that pizza chit!
I got up the other day after a long night, not fearing anything being wrong, just the usual morning. Still a little sleepy I turned to my PC just to find this in my face: "Germany on high alert due to 'plot'"
I panicked. Immediately I called my local police station to report these weird looking Middle Easterns who moved in next door. They don't speak German, they don't look German, they just look like a big bomb waiting to explode to me. After what seemed to me the longest half hour of my life, a black van pulled in the driveway, men rushing to my neighbor's door with weapons drawn, kicking the door in. I hear screaming and loud noises. Five minutes later the men escorted these monsters out the door, into the van and tagged them with a yellow star. What a relief.
Oh no, wait. I think I got a little bit confused with history there. Anyhow.
So, I was relieved, lying back proudly in my chair thinking I did a fine service to my country when suddenly the men from the van rang my doorbell. They were probably going to thank me, or so I thought, so I opened the door just to suddenly have a gun in my face and get arrested. What for? The reason seems obvious enough, really. I'm a terrorist. Now that I think about it, it all makes sense. How could I, as a citizen of a democratic country, read articles by a terrorist network like Al Jazeera? What was I thinking? I must have been out of my mind. Of course the Stasi logged what I was doing on the Internet and acted appropriately.
OK, fine. While this might have been a work of fiction in some parts, just take a minute and think about what my point is.
Let me quote what the interior minister of Berlin, Ehrhart Körting, said:
"If we see something in our neighborhood, if suddenly three rather strange-looking people move in who try to keep out of sight and who only speak Arabic or another foreign language that we don't understand, then I think one should make sure the authorities know what is going on." - Ehrhart Körting (Spiegel article)
And with the findings of a "bomb" in Namibia that apparently was headed for Munich, Germany, I have reason to be scared, or do I?
What appeared to be a "bomb" was found at the airport of Windhoek, Namibia. It was a suitcase which had:
"batteries that were attached with wires to a detonator and a ticking clock". - Bundeskriminalamt (BKA) statement
Later it turned out that this was just a "test". A testing device manufactured in the U.S. for usage at airports and other security areas, to see whether detectors and employees will detect the major threat this device eradiates. Have you seen the device? It's actually pretty funny:
X-RAY TEST OBJECT NON-HAZARDOUS
and some info about the manufacturer (Larry Copello Inc.) below. On a funny but irrelevant side note, the wiring was apparently done by an 80-year old woman.
Question is, who planted this device? At the moment they're blaming it on a police officer in Namibia.
Whoever they're going to blame it on, let me see if I got this right:
You're telling me a device that appears to be a bomb was found at the airport of Windhoek, Namibia (which once was a German colony) and was supposed to head for Munich, Germany one day after Germany raised their "terrorist threat level" because they're fearing an attack. Really? They're still looking for the culprit?
The only real terrorist here is politics and that's about it.
Read the original article "The "LOLWUT" moment" here if you haven't already.
In recent news: India also has access to RIM's BlackBerry Messaging codes for decrypting messages now:
"The Indian government press office is reporting that Research In Motion (RIM), the Canadian company behind the BlackBerry, has provided the government with an interim solution to enable Indian government agencies to eavesdrop on BlackBerry Messenger Service (BBM) traffic." - The H Security article
So, to avoid banning of services in certain countries, because they are actually secure in a way, they simply go ahead and hand out their decryption codes. Excuse me for the harsh language but, what the fuck? Privacy? Non-existent anymore it seems. What's making me rage the most, though, is how all these companies advertise with secure and private communication, yet they support countries in eavesdropping on their citizens.
This is just one example, there are other companies doing the same. See Deutsche Post for example.
Instead of providing security and privacy, which is what they advertise for, these companies take a dump on their customers and support retarded governments spreading terrorist and security propaganda. It's just sad.