Dotcom Offers €10,000 to Potential Code Crackers

Dotcom Offers €10,000 to Potential Code Crackers

Crack Mega's cryptography to win yourself ten grand.

You've almost got to admire Megaupload founder, Kim Dotcom's, sheer talent for ballsy showboating. Having enraged copyright proponents across the globe, Dotcom seems intent to caper about the internet, thumbing his nose at the entertainment industry and the FBI like some kind of rotund jester. His latest venture, a cloud-based file-sharing service born from the carcass of Megaupload - simply titled "Mega" - has been met with criticism from security experts and copyright warriors alike. Dotcom's response? A challenge.

:#Mega's open source encryption remains unbroken! We'll offer 10,000 EURO to anyone who can break it. Expect a blog post today," Dotcom tweeted earlier today.

Mega's security is unorthodox. Everything a user uploads is encrypted before it leaves their browser, using a master key that can be unlocked by a password known only to the user. In other words, Mega can't tell what the user is uploading. Critics argue that the system isn't so much about protecting the user's information as it is about providing Mega's operators with plausible deniability when it comes to copyright-infringing files.

But the system has also come under fire from security experts. The number-crunchers argue that the encryption system's random number generation isn't up to snuff, and that the cryptographic hashes could be cracked using dictionary-based attacks. Dotcom obviously believes otherwise.

Honestly, I'm not sure who I'm rooting for here. On one hand, it'd be wonderful to see Dotcom eat crow and have to hand out ten Gs to some random cryptanalyst. On the other, the file-sharing baron's antics do tend to whip MPAA-types into frothing fits of rage, and I'd be lying if I said that doesn't keep me warm at night.

Source: The Register

Permalink

image
Though I am disappointed that he specified "Potential Code Crackers". Black people know how to use computers too Dotcom!

I'm rooting for the Troll here. His antics just make me laugh too much. Go Kim!

Well, I think it's kind of hilarious since the idea of the encryption seems to be deniability rather than functionality. The idea being that some pirate or whatever would put the decryption code right there in the comments or whatever so people could receive the file. Kim of course being able to blame people's "poor security habits", claim it would be unethical to use those keys himself, or simply claim too much traffic to investigate every file with an unlock code.

It will be interesting to see what happens, and how exactly this system will wind up being user friendly to pirates, which is what copyright defenders are getting at.

AFAIK it's not the first company to make a similar challenge - although from what I know they rarely make it this public, and the reward is more often a temporary gig as a security consultant to patch up the hole they've found

I wonder how much he'd pay if I cracked his front door...

tbh this is easier than hiring tons of security experts to test your stuff, just wait until somebody get the job done, then pay that person, if it doesn't happen, then nothing is lost

Its funny and tbh its a clever man taking the piss, as long as he's not hurting anyone bar the big corps I don't think it'll ever matter.

Quaxar:
I wonder how much he'd pay if I cracked his front door...

Nothing, he'd mistake you for the FBI and surrender.

So hes just issued a challenge to the internet.

Id give it a few days at least. No more than 2 weeks.

weirdguy:
tbh this is easier than hiring tons of security experts to test your stuff, just wait until somebody get the job done, then pay that person, if it doesn't happen, then nothing is lost

Yeah. 10k euros is probably how much one security "expert" will charge per hour...

It'll be interesting to see how this goes. Looking forward to it. :D

Actually a pretty good strategy for Kim it's a win either way
One way his security is robust enough that noone hacks into it
On the other hand if there are a range of security flaws he is able to learn about them directly and is able to patch his software to improve it.
While the latter is obviously a lesser win for him it is a good strategy because a security flaw he doesn't hear about could cost him alot more than $10'000.

gigastar:
So hes just issued a challenge to the internet.

Id give it a few days at least. No more than 2 weeks.

Didn't Valve do that and it's still going with the whole steam guard thing? Internet isn't that all knowing. Then again, this does actually seem to be a bit more breakable, but the man's idea is pretty sound either way. If it breaks, he fixes it and he's covered. If not, reputation for being awesome is gained.

Oh it does make me feel happy that people are so against his websites. Do these people have the same sort of rage against dropbox?

Edit: Honestly though, it's saddening that he's even needed to resort to a "look, we can't even see what's in the fucking file, are you happy now?" system in response to the absolutely ridiculous idea that they should police every single file on that site.

I'm a big fan of Kim. He's sort of a cannibal in how he is turning on those which he belongs to the same group - mega millionaires - but he's on my side in that fight.

As always, business is most successful when it innovates and develops unorthodox approaches to traditional, predictive problem solving. Kim's turning his nose up at the traditional method, insulting those who employ it and making millions in the process.

Breaking the cryptographic hashes is not necessarily going to earn you those 10k. The cryptographic hash is derived from the users password they provide when they create an account, and since Mega can't be responsible for the user choosing a weak password (in fact, there is no security system that can make up for that effectively. Hash iteration is a possibility, but costs huge amounts of CPU).

With that said, security experts have criticized the hashing-algorithm itself that they use at Mega. If you can prove to them that you can break a very complicated password in a relatively short time, it might be enough to net you the money.

How could ANY modern day encryption not be secure enough?

I mean, last I checked, even law enforcement agencies were entirely unable to crack truecrypt

That'd look good on a resumé. Credentials sir? Well, I cracked Mega's encryption and there's the car I bought with the money.

Honestly though, that song is just the worst most uninspired crap I've ever seen.

This guy is quickly becoming my personal hero. Not because he's a pirate, he's just got the biggest balls ever. This guy gets in trouble for his site being pirate central... so what does he do? Why, he sets up a website to be an even BIGGER file-sharing HQ but now with the largest built in plausible deniability setup this side of anything ever.

He knows what he wants to do for the rest of his life and those in charge are going to keep putting nonsense out there to stop him. But does that stop him? No sir! He just gets clever. And if he gets in trouble? No sir! He'll just do it again... BIGGER AND BETTER than before! And when they get obviously unjust in their pursuit of him? No sir! He flips the ruling judge a freedom bird and start trolling.

Edit: I mean, hell, at the launch party of his new file-sharing company - featuring conch-shell music and large men in loin-cloths - he staged a mock raid aimed at making fun of those who arrested him for doing the very thing he was doing again... WHILE ON BAIL!

Pebkio:
This guy is quickly becoming my personal hero. Not because he's a pirate, he's just got the biggest balls ever. This guy gets in trouble for his site being pirate central... so what does he do? Why, he sets up a website to be an even BIGGER file-sharing HQ but now with the largest built in plausible deniability setup this side of anything ever.

This. Also, he is my hero because even though he already made enough profit from Megaupload that he could have lived the rest of his life in a palace built out of money bricks without ever doing anything else, yet he CHOSE TO continue sticking it to the man even at the risk of getting arrested again.

Copyright apologists would always love to apply their own amorality to everyone else, how supposedly everyone is in it for the money only, but it all falls apart when people like him, or the Piratebay crew, are showing this kind of determination when the only extra benefit from going on is that they can continue to support their ideology.

I hope that this lasts long enough to make the RIAA and MPAA sweat some, then when it does get cracked he ups the security, thanks the cracker, and continues pissing everyone off. Dotcom's got swagger to spare in the online game, and I love it.

bringer of illumination:
How could ANY modern day encryption not be secure enough?

I mean, last I checked, even law enforcement agencies were entirely unable to crack truecrypt

Because even if encryption is easy, key management is hard.

And key management especially becomes hard once you start making requirements to the system. In the case of Mega, the system not only has to be able to store your files. It also needs to let OTHER users download those files through a special download URL which includes a key (without those users knowing your password). Not only does the data have to be securely transmitted over the internet, but it has to be available on a wide range of computers which can provide the correct information for decryption/download (which forces some of the key storage to take place on Megas servers, which can be seized by the FBI).

Also, since it is browser-based, the platform can have some problems. JavaScript, which is the system they use for the encryption, might be limited in how well it generates random numbers, which is important for how secure the encryption is (if you can break an RNG, you can break the encryption), and might also be limited in how it can gather entropy (used to make the RNG more secure/random).

Compare that with TrueCrypt, which has the freedom to implement any RNG system it likes, and only has one basic functional requirement (encrypt/decrypt stuff for anyone who knows the password and/or has the correct keyfiles), and which can store the (encrypted) keys locally on the partition or in the container that is encrypted. The latter is much more easy to secure, and even then TrueCrypt actually has weaknesses (more specifically, the Evil Maid attack).

This, btw, is one of the reasons that the US military doesn't encrypt the video streams from Predator Drones, even though it allows terrorists/enemies to watch the video as well. The failure properties of terrorists watching the videos is far less severe than the problems that arises from the key management for the video streams (imagine ground soldiers in the field not being able to get critical intel from the stream because of a key management failure, or the drone not being able to be deployed because the keys aren't in place at the base that needs to watch the streams, and if we want our allies to watch the streams, we suddenly have to start sharing our keys with them).

Edit: One final thing i wanted to add, is that once you start a service like this where the company (Mega) has very limited information about what you're doing (since most of the stuff, including much of the information about the files, are encrypted from the users end), the service becomes harder to change. It becomes more difficult to add, remove or change features because you can't modify encrypted information without the keys. As an example, initially you couldn't change or reset your PW, although they fixed that problem now (mostly. You can't reset your PW if you aren't logged in and forgot it, you can only reset it if you ARE logged in through the 'remember me' feature, but forgot the PW).

Anonymous get on this!

DVS BSTrD:
Black people know how to use computers too Dotcom!

Only if they steal a computer to practice on :P

gigastar:
So hes just issued a challenge to the internet.

Id give it a few days at least. No more than 2 weeks.

I know nothing about the details of Mega's encryption process but I know for a fact there exists encryption such that you could never crack them in a million years using modern technology and know-how. So saying "few days, no more than 2 weeks" solely off of "he challenged the interwebz" is pretty ignorant.

See, there's only really two ways to crack something: either use Brute force and guess the key via dumb luck, or try to reverse engineer the keygenerating formula so that you can obtain the key for any encrypted file. The first is impractical if the size of the key is long enough and the key generation is perfectly random, and the second can be made to be impossible (well, given our current knowledge of the subject).

From the information given it sounds like the key generating software isn't fully 100% randomized. The article mentions Dictionary cracking and that's a variation of Brute Force where you start with common passwords first; since we're talking keys here, not passwords, it may mean that the key generator is biased towards generating certain kinds of key patterns.

Slightly in love with this guy. Balls of steel.

Apparently upon the birth of his twins, he had the placenta sent to the FBI to check there was no pirate DNA. What a guy.

http://torrentfreak.com/kim-dotcom-becomes-proud-dad-of-twin-girls-120325/

Only ten grand!?

weirdguy:
tbh this is easier than hiring tons of security experts to test your stuff, just wait until somebody get the job done, then pay that person, if it doesn't happen, then nothing is lost

Yes. There is a reason why FBI hire people that manage to hack into their servers. those people are obviously very good at it and can protect against hackers like themselves.

Pebkio:
This guy is quickly becoming my personal hero. Not because he's a pirate, he's just got the biggest balls ever. This guy gets in trouble for his site being pirate central... so what does he do? Why, he sets up a website to be an even BIGGER file-sharing HQ but now with the largest built in plausible deniability setup this side of anything ever.

You are aware that the MAIN reason for the raid on Megaupload HQ were charges of moneyfraud and piracy was just a secondary charge?

Doublepost, please delete.

I love Dotcom. No matter what happens, he doesn't give a shit what anyone thinks of him. Before he got rich, he was just a power-tripping overweight nerd, and he's still true to that, only with shit-tons of cash and encouraging followers.

Go Dotcom go!

Strazdas:
You are aware that the MAIN reason for the raid on Megaupload HQ were charges of moneyfraud and piracy was just a secondary charge?

O...kay? I'm not finding that on any actual reports, but yes, I've heard the nonsensical claim that the raid on all the Megaupload equipment was because the owner of that Limited Liability company was charged with a crime. However, did YOU know that most of the charges filed against him involve copyright infringement anyway? And that three others employed by Megaupload Limited were arrested same as him all for the same crime?

Still, I'm not finding anything official about the money-fraud thing. Perhaps you'd like to share the source you're using for your information? According to Reuters: "They were originally charged with five counts of conspiracy and copyright infringement." In fact, go read the year-old article right here.

And after some digging I found that New Zealand judge Justice Helen Winkelmann reported that "They were general warrants..." as in, no specific charges listed within the search warrants. Also, they used only the SEARCH warrants to justify a 70-officer-raid to arrest four men.

So yeah, he's still got some real brass and I'm rooting for him.

Pebkio:

Strazdas:
You are aware that the MAIN reason for the raid on Megaupload HQ were charges of moneyfraud and piracy was just a secondary charge?

O...kay? I'm not finding that on any actual reports, but yes, I've heard the nonsensical claim that the raid on all the Megaupload equipment was because the owner of that Limited Liability company was charged with a crime. However, did YOU know that most of the charges filed against him involve copyright infringement anyway? And that three others employed by Megaupload Limited were arrested same as him all for the same crime?

Still, I'm not finding anything official about the money-fraud thing. Perhaps you'd like to share the source you're using for your information?
And after some digging I found that New Zealand judge Justice Helen Winkelmann reported that "They were general warrants..." as in, no specific charges listed within the search warrants. Also, they used only the SEARCH warrants to justify a 70-officer-raid to arrest four men.

So yeah, he's still got some real brass and I'm rooting for him.

go read the escapists magazine article on it

"racketeering conspiracy, conspiring to commit copyright infringement, conspiring to commit money laundering and two substantive counts of criminal copyright infringement."

Oh and im not saying hes some evil person, i think the raid was unjustified and they should have not done it.

Capcha: ball of confusion.
It knows, it always knows.

Critics argue that the system isn't so much about protecting the user's information as it is about providing Mega's operators with plausible deniability when it comes to copyright-infringing files.

Was there honestly any real question to that? It's 100% the reason why.

All Dotcom's about is making the most money he can out of every technicality and loophole in copyright law or just by straight up breaking it discreetly. Nobody should be on this fucker's side. Even those who heavily criticize the different governments over their handling of file-sharing business HAVE to see that this guy only reinforces their hardest positions. This guy gives everyone online a bad name and image.

Therumancer:
It will be interesting to see what happens, and how exactly this system will wind up being user friendly to pirates, which is what copyright defenders are getting at.

Well it's because it's exactly what Dotcom is aiming for in the first place. Advocation and enabling of piracy is his main agenda since it made and continues to make the most money for him.

Therumancer:
Well, I think it's kind of hilarious since the idea of the encryption seems to be deniability rather than functionality. The idea being that some pirate or whatever would put the decryption code right there in the comments or whatever so people could receive the file. Kim of course being able to blame people's "poor security habits", claim it would be unethical to use those keys himself, or simply claim too much traffic to investigate every file with an unlock code.

It will be interesting to see what happens, and how exactly this system will wind up being user friendly to pirates, which is what copyright defenders are getting at.

Trouble is, as has already been demonstrated, Mega just removes the files anyway. They don't know if the takedown request is legit or not, they don't and can't try to verify it, they just take it down.

Not very useful for pirates.

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here