
Mega Overtakes Rapidshare, DropBox - balbaugh
http://www.zeropaid.com/news/103145/mega-overtakes-rapidshare-dropbox/
======
alexholehouse
Is traffic to Dropbox.com indicative of anything? I've been a Dropbox user for
years (yo-yoing between paid and unpaid plans based on my need - the ability
to do so is something I hugely appreciate) but never visit the site.

Is this not the equivalent of judging Windows usage based on visits to
microsoft.com?

~~~
AgentConundrum
> _I've been a Dropbox user for years [...] but never visit the site._

I created a Dropbox account (which I do use) a couple years ago, and last week
I visited the site for the first time in almost as long as I've had the
account.

A word of warning to you, since you don't access the site often: your password
expires, and you'll need access to your email account when it does.

My laptop semi-died last week (it's not actually dead, but I couldn't get it
to boot at the time), so I used my girlfriend's to order a new one.

I keep my KeePass database in my DropBox for just such occasions, so I tried
to log into Dropbox's web interface to retrieve it and access my account on
the computer retailer's website. Dropbox accepted my password, but told me I
couldn't continue until I changed my password, which required clicking a link
they had sent to my email account.

Unfortunately, the password to my gmail account is also in KeePass, and is an
incomprehensible mess of generated gibberish that I don't know, so I couldn't
get in. I had to reset my Google password using an email account that is
apparently on file with Google, in order to reset my password with DropBox, in
order to access my retail account with the laptop vendor.

I don't know if this would have been easier had I known about DropBox's two-
factor authentication before this, or if maybe I could have installed DropBox
on my girlfriend's laptop and got in that way without needing to reset
anything, but I ended up burning half an hour on this because I didn't know I
had to keep my password constantly up to date on their website.

It seems like an obvious thing to do, but for something like Dropbox which is
just "always there" on your local machine, it's an easy thing to forget.

~~~
petrel
I think you must remember at least one password, and everything else is in
Keepass database. I also do the same thing.

~~~
raverbashing
Exactly

Some people rely _too much_ on "one password" solutions, because of security,
etc

But it's very easy to lock yourself out of everything. Very easy.

The best place for keeping important passwords is still my head.

Sure, you can use password management solutions, just keep a backup (piece of
paper, secondary means of logging, etc)

~~~
dublinben
If you were ever in an accident, or became incapacitated, those passwords
would be irretrievable in your head.

I think that a software password manager (regularly backed up) with a master
password stored in a secure (offline) location is the best solution.

~~~
raverbashing
Yes, your password DB should be backed up in a couple of places, and of
course, keep the master password offline securely as well. I don't use a ready
made solution, but something similar with GPG

And don't forget to test the backups periodically, and check the master
password

------
sergiotapia
"We welcome the ongoing #Mega security debate & will offer a cash prize
encryption challenge soon. Let's see what you got ;-)"

I can't think of a better way to get someone with real crypto cojones to fix
their crypto missteps. Power to Kim and what he´s doing. 50GB for free is
amazing.

~~~
shabble
Hiring a competent and qualified security consultant/company to evaluate their
services/processes, maybe?

The really good hackers are likely out getting paid good money for their work,
and won't necessarily have time to poke at this for uncertain reward. There
might be sufficient value in the publicity associated with finding flaws
(especially while it's getting lots of media attention right now), but a
competition/challenge is rarely a good economic choice for the potential
entrants.

A bug bounty programme might be useful as a supplement to a rigorous security
audit, but the issues discovered so far seem to be things that could have been
identified by reasonably competent netsec people, indicating that such an
audit either didn't happen, or wasn't acted upon.

~~~
asdfologist
What about Google? They hire plenty of competent netsec people, and yet the
Chrome bug bounties yielded discovery of bugs that even those folks couldn't
find.

------
venomsnake
With the amount of publicity it has generated thanks to the incompetence of US
and NZ authorities it is wonder it has not overtaken twitter yet.

But there is the thing - mega is not a good service - too much false promises.
Seems like a honeytrap for infringers. There are ways to design it better with
better guarantees for user privacy.

~~~
RyanZAG
Can you explain further? As far as I can tell, there does not appear to be any
better possible option given the requirements (usable from a browser, legally
defensible, anonymous usage with proxies, resistant to DCMA takedowns, etc)

~~~
venomsnake
Well ... I had this idea few years back. I am no encryption specialist.

1\. I will get as many backblaze pods as I can.

2\. Client will mostly be the same with few differences - the encryption will
be symmetrical (AES probably), with randomly generated key from high quality
entropy. This key will never leave the client. File names will be encrypted
too. It will be bundled with the file and uploaded in some blob For
directories - they can be tared first before encrypted. So the only thing that
I will see as a host is file size.

3\. There will be some more keys that will be generated and uploaded - keep
alive and kill switch. keep alive must be given on regular intervals or
content expires. The kill key will delete the file on the server and as many
of the logs as legally possible, end of story.

4\. The server returns the unique url.

5\. You get some text on your screen that will give 3 urls \- kill url \- keep
alive url \- decrypt key \- safe download url (<http://something/url>) will be
asked by the page to give key. Decrypt will be on the client too. \- unsafe
download url (<http://something/url#key)the> javascript will begin decryption
immediately but if someone intercepts the url - he will have the key.

5\. Premium accounts will be given on scratch cards or bought with bitcoins.
Donations will be accepted anyway but won't give benefits.

6\. .onion address for upload

7\. Outgoing bandwidth - the speed of the downloads for all but premium
accounts will be function of the donations received the previous day.

8\. Everything will be open , and the community will be allowed to audit the
systems.

That is in general details.

~~~
ricardobeat
And btw, that's basically what Dropbox (and mostly every other private file
sharing service) does: files are encrypted using your password as the key.

~~~
dublinben
Even if that's true, Dropbox is still able to access your files at any time.
If you don't control the key yourself, it might as well not be encrypted.

------
tuananh
Mega is a file sharing service, Dropbox isn't (well, sharing is just one of
the bonus feature). Comparing traffic is stupid!

------
ricardobeat
4shared.com intentionally left out:

<http://cl.ly/image/0q2e462p1V2Y>

Dropbox is used primarily via client apps, those figures must be less than 10%
of it's actual usage.

~~~
benologist
Dropbox was intentionally included for link bait.

------
aw3c2
*on Alexa's top list.

~~~
cardamomo
That's an important clarification. The article is eager to make a sensational
statement, offering a clever bait-and-switch claim in the first paragraph. It
starts out mentioning signups...

"If the launch day signups and traffic were something to shout home about,
after the surge of media attention that Mega garnered over the next few days
from sites like ourselves,"

...but ends up supporting its claims with Alexa traffic ratings...

"it only got stronger and now we’re at a stage where Mega has almost broken
into the top 100 sites in the world."

------
tluyben2
Alexa rankings are not reliable.

~~~
mylittlepony
Why not?

~~~
gjulianm
The system they use for metrics is biased. They track the visits of the users
who have installed the Alexa toolbar in their browsers. It's really hard to
get a decent sample of Internet users using that data collecting method.

~~~
adventured
Alexa now does direct tracking, in a somewhat similar manner to Quantcast. I
don't think very much of their data is yet represented in that manner however.

------
furyg3
I wonder how long it will take countries to block Mega in the same way that
torrent sites (TBP) are blocked, and what steps Mega has taken in anticipation
of this...

~~~
markive
He had A-list endorsements coming through with the previous product, when it
becomes that high-profile and main stream the U$A won't be able to just steal
the domain without public due-process.. They had their chance, but they may
still find a way..

~~~
riffraff
not what the OP said. TPB is very much high profile but you can't access it in
some countries because it is banned at the ISP level (with a reasonably public
legal process).

~~~
furyg3
Yes, exactly this. TPB's IP addresses are blocked at ISP level, and the
response has been to set up many reflector sites (e.g. malaysiabay.org), and
mirrors.

A complicated interactive site is of course much harder to mirror than a bunch
of magnet links.

------
islon
I want to know how the security and cryptography work with my files and shared
files.

~~~
brador
Some details in this article:
<http://fail0verflow.com/blog/2013/megafail.html>

------
runn1ng
I don't know... it seems like people are just curious about it, but it
couldn't really be used properly (at least for me... I wasn't even able to
download my files).

Let's give it a few days and then we will see.

