
Kim Dotcom puts up €10,000 bounty for first person to break Mega's security - skeletonjelly
http://thenextweb.com/insider/2013/02/01/kim-dotcom-puts-up-13500-bounty-for-first-person-to-break-megas-security-system/
======
incision
It could be a standing offer with a hole found every other month and they'd be
paying far less than the going rate for a quality, full-time security
consultant.

Better yet, they get to indirectly watch, learn from and adapt to bounty
hunters work and only pay out if someone stays fully ahead of them.

~~~
eridius
This is precisely why this is nothing more than a PR stunt meant to combat the
people criticizing Mega's security. Mega is probably secure enough that anyone
who is capable of breaking it doesn't need to do so publicly for a 10k Euro
bounty, but would either be working for a government, or doing black hat work.

~~~
nikcub
and "they" don't need to break the encryption, they just need to steal a users
password

------
halviti
I'm very impressed by this.

To address some concerns:

\- Even if this is a PR stunt, it's a very good one, because regardless of the
outcome, it convinces many people to sign up.

\- Many people are claiming that he's not going to pay. Given the fact that
this is a PR stunt, it would be twice the failure, and backfire severely if he
did not.

Honestly, I signed up an account just to poke around, and looking at their
offerings, it's quite something.

50GB of space for free! A nice simple and clean interface. The IP addresses of
your last connections displayed prominently.

Maybe I wouldn't trust it with sensitive documents, but as simple cloud
storage, I don't see anyone else offering 50GB of storage for free.

~~~
Trufa
The main reason I don't use is because I don't want to lose my files if it
gets seized again that's a pity because it looks and feels great!

------
tptacek
<http://www.schneier.com/crypto-gram-9902.html#snakeoil>

See: Warning sign #9.

Read the whole thing, of course. Holding a contest doesn't make it snake
oil...

~~~
huhtenberg
Your comment makes no sense, of course.

You point at a specific item only to say that this item doesn't apply as is.
Why pointing at it then? Mega's security effort may very well be disingenuous,
but what you wrote comes across as a snobbery.

~~~
jgeralnik
He didn't say the item doesn't apply, he said that it is a warning sign.
Holding a contest doesn't make a product snake oil, but it certainly
correlates to snake oil products.

~~~
huhtenberg
It's the snobbery, not the meaning.

I've been partial to the crypto community since the early 90s and there appear
to be three popular ways to dismiss one's security work without bothering to
understand any details -

    
    
      1. Quoting an item from the snakeoil markers list
    
           This is the most popular method. It has a good 
           mass appeal as it clearly implies that your 
           opponent is a complete idiot and puts him in a 
           position of needing to prove the opposite.
    
      2. Gutmann Sound Wave Therapy quote
    
           Whenever someone thinks that they can replace 
           SSL/SSH with something much better that they 
           designed this morning over coffee, their computer 
           speakers should generate some sort of penis-shaped 
           sound wave and plunge it repeatedly into their 
           skulls until they achieve enlightenment.
    
           This is as great, arrogant, includes a "penis" 
           and generally makes first-time impression. It
           can't be used too often unfortunately.
    
      3. Invoking Kerckhoffs's principle and alike
    
           This is a sophisticated way. Don't really need 
           to understand what the term is or if it applies 
           in a given case. The idea is to just dazzle the 
           opponent with obscure terminology to show they 
           don't know a shit about cryptography.
    

You've gotta try and be on a receiving end of these. An incredibly welcoming
opening of a dialog between the peers. Thickens your skin like nothing else.

~~~
tptacek
I'm interested in some cryptosystems that have been on the receiving end of
any of these critiques that were ultimately shown to be sound and useful.

I'm not asking because I think I know the answer. I don't. I don't follow
crypto the way you follow crypto; I am interested in it exclusively to the
extent that it allows me to break software. You seem to follow the community
as a whole, which is not an interest I share. So you probably have some
insight into it that I lack.

------
kayoone
Kim Schmitz is known for screwing people alot of Times, so if you try your
luck with this keep that in mind.

Endeavors where he took others peoples Money in Return for nothing or didnt
Pay Prize money:

Ultimate Rally

Kimvestor (letsbuyit.com)

Osama bin Laden bounty

Trendax AI trading company

Liga.net Gaming League (around 1999)

~~~
Dylan16807
Let's see.

Ultimate Rally - never got past the planning stage, who did he take money
from?

letsbuyit.com - He said he was going to invest and then didn't. He never
promised money to the people that lost it here, they were just speculators.
Yes it was illegal, but he didn't breach any agreements. (Actually might not
have been illegal at the time)

bin Laden bounty - nobody gave him information leading to finding bin laden so
there is no bounty, I don't see the problem here

Trendax - well that's clearly a scam but I can't find if people actually
invested there

Liga.net - please tell me I missed something and you didn't put this on the
list for cheating in a video game

~~~
kayoone
I just wanted to point out that he is/was a shady person and people should be
cautious dealing with him. To adress your points:

Ultimate Rally - afaik there where some poeple on forums that paid a
significant entry fee and didnt get it back

letsbuyit.com - clearly illegal, insider trading and he got a prison sentence
+ 100k fine

Bin Laden bounty - true, but it still was smelly

Liga.net - it was a Quake2 Duel League back in 98/99 (if i remember
correctly). Kimble was known for playing lots of Quake back in the day, he
invited the most promiment players, first prize was some super High end PC (of
the time) and money but the winner never got it and was kicked out of the
league, which was shutdown soon after that :
<http://planetquake.gamespy.com/fullstory.php?id=61507>

Its just a fact that you should not trust this guy given his history. Sure
people change, but be cautios!

more info:

<http://www.theregister.co.uk/2004/09/30/kimble_rally/>

[http://kotaku.com/5878337/arrested-megaupload-boss-
cheated-h...](http://kotaku.com/5878337/arrested-megaupload-boss-cheated-his-
way-to-video-game-glory-opponents-say)

~~~
Dylan16807
Thank you very much for finding some of that information.

------
enoch_r
Why does Mega's security matter to Mega?

It seems like they've implemented encryption to provide plausible deniability
that they're knowingly hosting pirated content, not to actually protect the
privacy of users, the vast majority of whom will not be uploading confidential
data.

~~~
DanBC
Some pirates are paranoid. That's why Usenet providers[1] started offering
encrypted Usenet.

[1] EG Giganews, 2006 (<http://www.giganews.com/news/article/encrypted-
usenet.html>)

------
chris_wot
Look, it's pretty simple. Kim Dotcom is a snake oil salesperson. Great at
hype, but ultimately if you dig beneath the covers I suspect there will be
nothing there.

I should know, I trusted and was very badly burned by someone who spoke big,
manipulated others an dultimately had nothing whatsoever other than charm and
chutzpah. Give Mega a wide berth, or you too could be badly burned.

Someone else has also pointed to the following article about crypto-breaking
contests, written by BrucebScneier. Definitely worth a read before getting
excited about this contest.

<http://www.schneier.com/crypto-gram-9812.html#1>

~~~
ramblerman
"I should know, I trusted and was very badly burned by someone who spoke big,
manipulated others an dultimately had nothing whatsoever other than charm and
chutzpah. Give Mega a wide berth, or you too could be badly burned."

Unless that person was Kim Dotcom this is useless diatribe. It is akin to me
saying, "I had a bitter divorce so never marry"

~~~
sturgill
For the record, (and as someone who is happily married) I would discourage
marrying kids. It's better to wait until both of you are at least 18...

------
jpxxx
The hell he'll ever be cutting a check. This is nonsense. And are people
seriously using this service? It's like renting a cardboard safe deposit box
in a bad neighborhood.

~~~
genwin
Add TrueCrypt (easy) and it's 50GB of free _secure_ cloud storage.

~~~
jpxxx
... the use of which drives attention, legitimacy, and revenue to a scumbag.

~~~
genwin
Make sure to apply the same standards to all the companies and people
(including half of Americans) getting away with much worse.

~~~
jpxxx
It's conceptually easier to go through life avoiding brazen bastards than
three quarters of humanity.

------
mike_herrera
> It's been seven busy days for us since MEGA went live. As millions of users
> were hitting 50,000 freshly written and barely tested lines of code and
> dozens of newly installed servers, teething troubles were inevitable. --
> Mega blog entry #4

If I were a gambler, my money would be on an infrastructure/man-in-the-middle
or social-engineering attack vector. The people are likely stressed and the
code is admittedly troublesome.

Godspeed.

~~~
scottbartell
"50,000 freshly written and barely tested lines of code"... it sounds like
they're doing it wrong.

~~~
jaggederest
In my opinion, code is never fully tested unless it's produced under extreme
clean room conditions (i.e. autopilots, nuclear plant software, space shuttle
softwware), or has been used in production for a fair amount of time.

Even if your code has full path coverage, you're almost certainly going to
interact with an unpredictable outside world that can cause code to fail in
novel and interesting ways.

~~~
DanBC
> Even if your code has full path coverage, you're almost certainly going to
> interact with an unpredictable outside world that can cause code to fail in
> novel and interesting ways.

Yes.

(<http://www.f-22raptor.com/news_view.php?nid=267>)

> _Don Shepperd told CNN Television that the onboard navigation,
> communications and fuel systems crashed as the planes crossed the
> International Date Line._

> _The problem seems to have arisen not from the time change, but from the
> change in longitude from W179.99 degrees to E180 which occurs on the
> International Date Line._

> _The USAF refused to specify the cause of the issue saying only that the
> aircraft "experienced a software problem involving the navigation system en
> route from Hickam to Kadena"._

The Wikipedia article List of Software Bugs has some other scary examples of
billion dollar systems destroyed, or people killed, by bugs.

(<http://en.wikipedia.org/wiki/List_of_software_bugs>)

------
nwh
If anything, it'll be an attack against their entropy gathering (mouse
movements) or a mis-implemented encryption spec. Given the number of XSS holes
in the site, I bet someone will be claiming that bounty soon.

------
ck2
Isn't he a billionaire? Have you see the photos of his home?

He might want to make the reward slightly higher than what the black market
will pay out.

~~~
VonGuard
Dunno why you were downvoted. Yer very right. People just don't talk about it
this loud.

~~~
corin_
He was down voted for illogically raising the wealth of Dotcom. By all means
argue that it's too low, but the decision for this cost should come from the
company's financials and the potential benefits of that spend, not the size of
the house its owner lives in.

~~~
ck2
I mention his wealth because it's specifically from his business and offers a
comparison to his ability to pay for security fixes that threaten the very
operation of such business.

It's like saying hey this business is worth $100k a day to me but I'm only
willing to pay $10k to anyone who can show me a problem that would expose all
my customers and bring it to a halt, perhaps permanently if the data got into
the wrong hands, foreign governments, etc.

~~~
chaz
A business can't go to the founder as its own piggybank to get out of bad
decisions. It's not only a legal and accounting nightmare, but it's bad for
the business, too.

~~~
VonGuard
I didn't really care about who has what money. I just agreed with his point
that 10k doesn't beat the black market for something this high profile.

------
hawkharris
I respect that many people are interested in the ethics of this proposal, but
I'm more interested in having a technical discussion about the code, exploring
some of its strengths & weaknesses, etc.

I'm always impressed with HN's pool of tech knowledge and enjoy learning tech
tips from more experienced hackers. (Of course, I suppose there's a good
chance these folks are hacking instead of commenting, and maybe they don't
want to give away what they've found.)

------
SomeSpectackle
Capture the keystrokes & mouse movements used to supplement entropy for the
in-the-browser. Recently, the Internet Explorer vulnerability exposed the fact
that any webpage can see all mouse movements.

MiTM

~~~
vincentkriek
How would this be a man in the middle attack? You should be able to record it
yes but as you said keystrokes & mouse movements are used to SUPPLEMENT
entropy, as in they also use other entropy.

~~~
nwh
They aren't using anything but that and `rand()`. They could use the Crypto
library in Webkit, but they're not.

------
sschueller
He should have the reward go up every month it is not claimed.

------
beyti
10 grand is a bit cheap when I think of all the advertisement done for mega's
security?

------
benologist
1) Use the key passed in the url fragment

Doesn't really seem that complicated?

------
Attocs
does this have anything to do with me getting a 403 from
<http://kim.com/mega/> ??

------
visarga
Did he pick euro to spite USA?

------
nu2ycombinator
mega-search.me already looks like having problems.

------
ForFreedom
only 10K?

