Isn't it true that ANY web storage and file-sharing company could be raided and shut-down tomorrow?
What's different between Megaupload and Dropbox or any of the others? If the Feds (and the Motion Picture industry) decide that Dropbox is hosting pirated works they could suffer the same fate, no?
I am not focusing on Dropbox here. They are just a place holder for any storage/sharing service you'd care to name. I use Dropbox almost exclusively and love it.
The point here is that, unless I am wrong, your data isn't safe anywhere outside your own four walls. So, if data loss is your concern, be sure to back it up locally.
If you do things right it should not matter if Mega (or any other service) implodes overnight. Set yourself up to not loose anything if that were to happen. If you do that, then you can use any service and sleep well knowing that such a failure (or confiscation by the Feds) is of minimal or no consequence to you.
Your data is safe with rsync.net, or any other provider that does not build a business model around "sharing" or "social" or web links or any other bullshit like that.
It's not file storage that presents the political risk - it's letting idiot kids store things publicly, for free, because you are pursuing some "make it up on volume" business model that we all knew was broken 13 years ago.
They probably just want to serve embedded video in a way that they can't be accused of contribution to copyright infringement. What they added is a layer of encryption. But can they do video playback on an encrypted stream? What in-browser video player works with encryption keys?
Isn't it true that ANY web storage and file-sharing company could be raided and shut-down tomorrow?
I think the most accurate thing you could say is that the odds vary considerably based on the intentions and actions of the operators with respect to criminal activity, and the extent to which they can be inferred by reputation.
Framed as practical advice, I'd say: Your data is probably much safer with services that don't have a reputation for being used mostly for piracy.
They answer your question (from the TOS): "You must maintain copies of all data stored by you on our service. We do not make any guarantees that there will be no loss of data or the services will be bug free. You are completely responsible to remove all data prior to termination of services."
Reading their TOS makes me not want to use the service (but thats true to any other "cloud storage" provider aswell).
> Isn't it true that ANY web storage and file-sharing company could be raided and shut-down tomorrow?
I'd say at its present state, MEGA servers are one of the least likely to be raided, considering the clusterfuck with the last raid.
> if data loss is your concern, be sure to back it up locally
That's a horrible advice. A company that does data storage professionally is much less likely to lose your data. If you have a house fire or a major flood, your computer and your backups will be gone.
Diversification is the key to data safety. Back up both locally and online.
That is far from horrible advice. And you are taking "locally" way too literally. You get to define what "locally" means. It definitely means "not trusting a third party with your important data".
In my case it means that I keep three full backups of everything at three different locations and with various incremental and full-backup schedules. Old data that doesn't see a lot of activity is archived and even burned to DVD and stored in a fire-proof safe. I know that some of it is a bit extreme, but I actually take my work product very seriously and most of it represents "cubic hours" of work. I take the position that my business data is my responsibility and I store it "locally" with enough redundancy that it would take a pretty major event for a significant chunk to be lost.
That does NOT mean that I don't use remote storage/backup services. It DOES mean that I operate as if they could be reduced to dust tomorrow. Which, in turn, means that I have all of the convenience some of these services offer while not having to worry too much about issues at the backup provider ruining my life.
At least, your data won't be visible to Mega or the Feds.
And if they get raided, the Feds won't have shit against Mega or you.
About the backup part, they have servers in different countries, so it's safer. Personally, I wouldn't rely on any service alone, I always have an extra copy somewhere else. I do the same with my emails for example. If tomorrow my email provider shuts me down, I will lose at most ~12 hours of emails. All my other emails are in my PC and in Dropbox (encrypted, obviously). Next, I sign up to a different email provider, change my domain DNS, and keep receiving emails normally like if nothing happened.
MEGA could be the only cloud storage I'd actually start trusting. I don't use Dropbox, I don't use Google Drive or anything else, because I'm not interested in other people being able to peep at my data.
While I don't perceive Dotcom as a trustable character, his incentive to NOT store any encryption keys on the servers is much higher than any of his competitors.
According to the site "Wuala protects your privacy: In stark contrast to most other cloud storage services, all your files get encrypted on your computer, so that no one - including the employees at Wuala and LaCie - can access your private files. Your password never leaves your computer."
I think Hushmail made the same claims, until compelled by law enforcement to send altered client software to the machines of suspects.
Not sure how these other companies operate, but unless the user hand-encrypts files with openssl, gpg, pgp, etc., then the trusted client software has the potential to be a vector for compromise.
Use SpiderOak[0] then. They assure strong zero-knowledge privacy and, while the client isn't technically open source, much of it is completely unobfuscated python. I definitely trust SpiderOak with my data. It also has more features than Dropbox or Drive... You can set syncs as between a subset of all devices, create an arbitrary number of syncs, and create some backups which aren't syncs too. It's quite nice.
Another service which is open source is Tarsnap[1]. It doesn't do syncing or have a free tier, but it's definitely trustable online storage.
In both of these cases the encryption keys are not on the servers.
An additional provider which claims to offer cloud storage/backup with zero-knowledge is Crashplan[3]. I wouldn't trust them as much as either of the previous options, but I still think they're telling the truth. I note it partly because I really like their approach. You can a) let them keep the key and thus you can still reset your password etc, b) let them keep the key so you don't have to transfer it manually to all crashplan-using computers, but have it encrypted on their end with a password only you know (can't be reset), or c) provide your own key which they claim they'll never know. These three tiers make sense and at each one you sacrifice some usability (such as the web-interface being unusable at (c) I think) in exchange for security.
So yeah, dropbox and google drive are both obviously able to look at your data, but that doesn't preclude using other cloud storage providers. There's many that are trustworthy and have the code to prove it. In the case of Mega, I'd trust them less than the typical one. They're big enough that the government will notice them... they'll need to make it usable (allow password resets etc), it looks like you upload unencrypted data and then they encrypt it server-side (edit: turns out it's client side javascript encryption. Downside there is it'll probably be a bit slow)... All of these are problems. If it's not sent already encrypted with a key they've never touched then the government could court-order them to alter the software to store unencrypted copies or to keep encryption keys. Since they're the one giving you the key they obviously know it at some point, however briefly, and they are thus vulnerable. Forcing users to generate and supply keys just isn't user-friendly on a web-only application. The only way you can make that work, as SpiderOak did, is have the user download an application which seamlessly does all the crypto work.
I do hope this is a joke. "some fancy acronym like AES"... I can't tell if this is a failed attempt to be funny through saying something so ridiculously stupid or if you're serious. There are lots of acronyms that are BS, but AES isn't one of them. It's mathematically backed and has been thoroughly tested to be strong.
Dropbox being a YC company means absolutely zero other than that YC liked their idea and supported them. That doesn't give me any assurance that they won't make a mistake or that an employee won't sell my data.
In fact, Dropbox, despite being a YC company, already slipped up majorly once to the point that every account was completely passwordless. You could just type in random emails at the web login and view some stranger's files. Story here: http://techcrunch.com/2011/06/20/dropbox-security-bug-made-p...
On the other hand, AES has yet to slip up. My AES encrypted data will take a significant fraction of the life of the universe to crack and, YC or no, a single programmer error won't break it.
Is a fancy acronym like YC any better? I would trust the founders not to look at private data, but any company that has employees is vulnerable to one of them going rogue.
YC doesn't control Dropbox. Whatever trust you have in a minor shareholder, it shouldn't translate to trust for the company.
There are other reasons as well: potential vulnerabilities in their software, malicious/crazy/corrupted employees, etc. Healthy need-to-know rule is enough to decide that if there's no reason your cloud provider should have access to your data, he shouldn't have it.
They also give you +1GB per referral which is quite big. It's a little unethical, but you could invite yourself a couple times to double the storage space. Or get actual referrals.
You're right, technically they're not doing anything groundbreaking. The difference is that they already have a huge fan base, ridiculous amounts of publicity, and much better UI and pricing than spideroak.
Also AltDrive Online Backup (http://altdrive.com) is unlimited, easy, supports all major operating systems, and allows for a private encryption key [AES-256 CTR Mode encryption] so that customer's file data cannot be read by insiders. It's cheap too.
There aren't a bunch. Sugarsync and Dropbox only offer encrypted transport of your files. To actually encrypt the files/folders themselves requires a 3rd party piece.
Mega offers everything wrapped in encryption, so presumably, his company will have plausible deniability (zero knowledge) of the files/folders that his service is being used for.
From a technical standpoint, I also believe it makes de-duplication impossible but someone with more knowledge on that subject can comment on it.
> Dropbox uses modern encryption methods to both transfer and store your data.
Sure, you're right that the difference is that dropbox holds the keys and mega doesn't. But you're also ignoring the fact that Dotcom has had considerable interest from law enforcement in the past, and that some companies have cooperated with law enforcement by pushing malformed client software to some customers.
Thanks for the clarification on Dropbox. So it appears that the "key" (pun intended) is who has the key. Dropbox offering "encrypted" storage while holding the key, isn't really encrypted storage now is it. :)
What's confusing about it? I use it personally and also regularly set it up for most of the clients I consult for. I've never had anyone come to me and say they've found the interface confusing. It just works.
I like the logical chess game that Dotcom is playing here. Even if everybody knows that some of the storage will be used for copyrighted material, it can't be proven that ANY of it is. There are many legitimate reasons why people want secure, encrypted and private storage, so innocent until proven guilty (which can't be proven!)
Well, copyright owners can still send DMCA takedown requests on links that include the decryption key. But Mega can't automatically take down copies of the data (since any copies will be encrypted by a different key), and more importantly they can't offer big copyright houses custom tools (like MegaUpload did, and Youtube does) that find and flag material for them automatically.
I wonder how much of a house of cards would be necessary to distance MEGA from such indexing sites and yet still profit from it. Dotcom did say he is interested in new business models. How new could it be?
There are any number of cloud storage options (SpikerOak, Crashplan, Backblaze, Tarsnap, Amazon, Wuala, etc.) which offer client side encryption using a key you control. I would consider any of those before I trusted important files to this new service.
My quandary: I don't trust any third-party client, and the clients I do trust are too cumbersome.
In the end, I think I'll just use an EncFS volume and back it up with whomever is most convenient. If MEGA gives me 50 GB of free storage, they are very convenient.
I still have my doubts about their privacy practices, I would love to see a detailed technical article on how the actual PKI infrastructure works.
I could register and (apparently) generate a private RSA key, which was sent to mega.co.nz as part of a HTTP POST payload. I wonder if that's only used for the current session, which I guess is mandatory, but I'd like to understand more: how does the model work for sharing, for instance.
Couldn't they just pull the plug on all of their servers? Then they wouldn't need the keys. They could demand removal of copyrighted files, but if Mega refuses to do so, they could demand the server be taken offline until they figure out how.
So this says all files will be encrypted with RSA, doesn't that mean who ever wants to access them needs the key? Is this just not a successor to Megaupload then? How will sharing files publicly work? Or will it at all?
You could do that if there is a per-file key. But you'd need some client software to store and manage keys for individual files for easy exporting urls including these keys, and I read that MEGA is managed only via web (at least now).
Personally, I can't wait for this. Yes, I have a Dropbox account and have for years, but I like the ideology behind this, and lately the US government doesn't seem to be all that concerned about the liberties of its citizens - or citizens of any country.
I'm just wondering if it has a desktop sync like Dropbox. Now that would be MEGA.
> but I like the ideology behind this, and lately the US government doesn't seem to be all that concerned about the liberties of its citizens
Definitely a case of "no such thing as bad publicity". At this point, he probably has better name recognition than dropbox, before the product is even out.
It is not bad publicity at all. In fact he has, despite his problematic past, shown the strongest commitment possible to his clients. He could have sold or left Megaupload long before things came down. He could have left the Mega idea behind and put his focus and money towards saver ventures. But instead he continues to stay dedicated to the cause he is fighting for.
Showing that you are willing to fight for your cause, despite having powerful enemies, and sticking to your mission even after your company, your home and your private life have been raided, demonstrates integrity. And integrity is probably the best publicity you can get - especially when operating in controversial industries.
I personally would love to see a Mega incubator that fosters an environment of similar challenging ideas (for example building on Mega's in-browser encryption).
Are you sure? I don't think I'm the only one having reservations about signing up for a MEGA account. Since his last product didn't last, what tells me that the same fate is not going to hit his new project? I can't put needed files on a product that might go down with my files someday.
That said I support the guy and will use MEGA. But double back up of sensitive files with a dropbox/skydrive/google drive.
It seems to be mostly web-based so it might be better suited for sharing sensitive information etc that should not fall into the hands of the service provider.
For personal encrypted sync & backup I'd guess encrypted you-hold-the-key solutions like CrashPlan, Tarsnap, Wuala and SpiderOak are better options.
There are stating in their help page that Firefox allocates as much memory as the size of the downloaded files, which is not very convenient for this kind of application.
> However, some legacy or technically inadequate browsers require the entire file to be stored in memory for downloading (Firefox, IE10, Opera), or for both downloading and uploading (IE9, Safari 5).
At the end, the choice is yours but they are fairly warning you that the UX would be better on Chrome / ium.
Well I don't like their tone, I don't need to be told that my browser is "outdated", especially if it's not, it works perfectly fine for basically the rest of the internet, including web dev tasks. If there is a very specific use case for which it's not the best, they should have said so. They should have checked whether I'm using IE6, or the latest FF version, and adapt their speech accordingly. I feel like an angry nerd right now, but I'm the user this time so I'm right and they are wrong.
What's different between Megaupload and Dropbox or any of the others? If the Feds (and the Motion Picture industry) decide that Dropbox is hosting pirated works they could suffer the same fate, no?
I am not focusing on Dropbox here. They are just a place holder for any storage/sharing service you'd care to name. I use Dropbox almost exclusively and love it.
The point here is that, unless I am wrong, your data isn't safe anywhere outside your own four walls. So, if data loss is your concern, be sure to back it up locally.
If you do things right it should not matter if Mega (or any other service) implodes overnight. Set yourself up to not loose anything if that were to happen. If you do that, then you can use any service and sleep well knowing that such a failure (or confiscation by the Feds) is of minimal or no consequence to you.