
Mega has launched - bavidar
https://mega.co.nz/
======
gjulianm
I just found a weird things on they ToS [1] ...

 _8\. Our service may automatically delete a piece of data you upload or give
someone else access to where it determines that that data is an exact
duplicate of original data already on our service. In that case, you will
access that original data._

Duplicate check, I get that. But, how do they do it? They say the files are
encrypted on the browser, so if I upload file X and other user uploads X too,
they can't know they're the same because both uploads are encrypted. So, they
can check only for duplicates of the encrypted outcome of each file. But,
wouldn't that be inefficient? Probability of collision in encrypted files is
(AFAIK) really low, something like 2^(-N), N being the size of the file on
_bits_... If I did it well, it'd be a collision probability of 7.458E-155 for
a file of 1MB.

[1] <https://mega.co.nz/#terms>

EDIT: Added example.

~~~
jiggy2011
Possibly convergent encryption, basically when you encrypt the file you use a
hash of the file as the key. This key can then be encrypted with several
different passwords meaning that several people can decrypt this file.

~~~
gjulianm
This? [http://crypto.stackexchange.com/questions/729/is-
convergent-...](http://crypto.stackexchange.com/questions/729/is-convergent-
encryption-really-secure) <http://www.ssrc.ucsc.edu/Papers/storer-
storagess08.pdf>

It seems really interesting, so they can check for duplicates while keeping
files secure. Thanks!

~~~
politician
From that StackExchange link, the top-ranked answer has the following comment:

"However, one more attack: an attacker can guess plaintexts and test if you
have that file."

If that's the case, pirates beware.

------
samwillis
To everyone asking about the encryption, it isn't really about protecting your
data its about protecting themselves. They have created a service that is
billed as a drop box competitor but it's not. This is megaupload2, they just
need it to not look like they are marketing it as that.

They needed a way to deny any knolage of file sharing and have found a two
pronged attack. The encryption means they can deny any knowledge of what they
are serving, and marketing it as a drop box type tool means that they aren't
marketing it as a blatant tool for illegal file sharing.

~~~
b1n
Wasn't MegaUpload popularity due to streaming video content?

Doesn't the encryption make video streaming impossible in the way it was being
done before (i.e. to a large psudononymous userbase)?

~~~
samwillis
Yes, megavideo was a large part of their platform. I think it is only a matter
of time before we see them build a video player on top of mega. I suspect
there are technical hurdles to over come with decrypting and then playing the
video using javascript though.

~~~
kzahel
The MediaSource APIs will make this possible

------
micheljansen
Does anyone understand how their implementation of client-side encryption is
actually supposed to make my data safer? After logging in for the first time,
a 2048-bit RSA key pair was generated, but it seems that every time I log in I
just use a username (email) and password. Does that mean the RSA private key
is stored on MEGA's servers? If so, doesn't that render the whole "client side
encryption" bit moot? If MEGA has the private key, they can decrypt the data
or am I missing something?

The service seems to have ground to a halt, and I am not able to upload
anything, so perhaps this all becomes clear once one starts using the service,
but I'm curious about how the encryption is used in practice.

Edit: Found a bit more detail in the developer documentation:
<https://mega.co.nz/#developers> According to this, they use the symmetrical
AES-128 to encrypt files, so why do I need an (asymmetrical) RSA key pair? It
also says there that the private part of the RSA key is stored encrypted with
the symmetrical AES key, but MEGA has that key, so what good does that do in
case of an FBI raid?

One of the things that I was most curious about regarding MEGA was to see how
they would manage to make encrypted file storage safe but user friendly. It
seems like this is user friendly, but not safe at all, or am I wrong?

~~~
pyre

      | Each user account uses a symmetric master key to ECB-
      | encrypt all keys of the nodes it keeps in its own trees.
      | This master key is stored on MEGA's servers, encrypted
      | with a hash derived from the user's login password.
    

The key is stored encrypted on their servers, but is unlocked with your
password. Technically they could capture your password and unlock the key,
gaining access to the files.

~~~
AhtiK
MEGA servers store the hash of the password, not the password itself.

Unlocking a key requires a real password but the server knows only the hashed
version. This way they can't capture the real password to unlock. The trick
would be to make sure server always gets only the hashed password. Even at
website login, the password must be hashed before sending!

We used similar crypto for <http://timegt.com> product where everything is
end-to-end encrypted with a keypair generated by the user yet stored at the
server. But it's stored at the server in a locked form that can be opened with
a password that user entered. But this password is never sent to the server,
only the password hash is and is used only to make sure that it's ok to send
this locked key to the user. Hopefully this didn't sound too confusing now...

~~~
jpalomaki
As long as the logins go via normal web page hashing the passwords before
sending them does not really add that much security. If the security of the
server is somehow compromised, it would be trivial to put up new Javascripts
that send the cleartext password to server. Users are not likely to go through
the Javascript to check what it is actually doing.

~~~
freshhawk
This is how similar services have responded to warrants. They voluntarily
alter javascript for some ip addresses in order to capture passwords to use
for decryption of the user's files.

It would probably be easy to write your own login page or a browser toolbar
that would either do the hashing on a page you control or check that the
javascript was what it should be.

At that level of distrust however you might as well encrypt the stuff yourself
(and send the decryption keys to the people you want to share with in some
other, more annoying but secure, way)

~~~
niels_olson
> similar services

for those who don't know, hushmail is probably the best known example of this.

------
jtchang
Regardless of what you may think about KimDotCom he certainly has persistence.
You'd think anyone would quit after a FBI raid and being sued into oblivion.

So what if the service falls flat? I don't really plan to use it until the
kinks are hammered out anyway. The fact that he got it out there though is a
statement on to itself.

~~~
zalew
> You'd think anyone would quit after a FBI raid and being sued into oblivion.

[https://en.wikipedia.org/wiki/Kim_Dotcom#Criminal_investigat...](https://en.wikipedia.org/wiki/Kim_Dotcom#Criminal_investigations)

------
georgeorwell
I see Kim Dotcom as a stereotypical gangster who makes money by delivering
illegal products. He has the narcissistic personality and lifestyle trappings
to go with it. He even wants to buy protection from New Zealand itself by
bringing free fibre optic cable to the island!

It's just hard for me to respect the man, because he's not fighting for
information freedom, he's fighting for as much cash, status, and power as he
can get his hands on.

~~~
dexter313
What illegal products are you talking about?

~~~
andypants
Megaupload was basically the pirate bay if it were run as a business.

~~~
rmc
The pirate bay is run as a business. They make a lot of money from
advertising. They are also branching out into politics now.

------
Kudos
They're not caching any of their static resources, that might explain the
amount of bandwidth use Dotcom is apparently seeing.

Edit: They're not gzipping any of the 2.5MB in static resources either. I
realise that probably doesn't impact their API calls that are failing, but
it's still a big oversight.

~~~
csomar
If you are opening their app for the first time, it doesn't matter since you
are going to download the content anyway. He has only one page, so navigation
doesn't reload the content.

Not using Gzip is obviously a big mistake.

~~~
kami8845
>Not using Gzip is obviously a big part of his marketing plan.

I think this is the only time I would use the words "FTFY" on HN, but I do
think it's obvious, that with kim's bragging about bandwidth usage, gzip has
been disabled intentionally.

~~~
melvex
What a ridiculous statement.

He could just as easily make up a fake bandwidth usage number for marketing
purposes rather than actually put unnecessary load on his servers by not using
Gzip.

It's most likely down to him hiring sloppy developers. And judging by the
source code on the site this is exactly the reason.

~~~
bluegate010
Agreed. Very sloppy code.

~~~
borplk
where are you looking at the source code? I'd like to see too

------
d0m
The interface is very slick.. almost feel like a native application. Just the
fact of being able to resize the various section of the window is very cool.
Congrats for the launch, this takes lot of guts to start a service like that.

------
hahla
Site is getting completely hammered as of 15 minutes ago, Kim posted this on
his twitter (<https://twitter.com/KimDotcom>): "Wow. I have never seen
anything like this. From 0 to 10 Gigabit bandwidth utilization within 10
minutes."

~~~
eps
I wonder if all this traffic is genuine or if it's a DDoS.

~~~
rplnt
See these comments <https://news.ycombinator.com/item?id=5084145>

------
benologist
His theory appears to be that by sharing keys via links to access encrypted
files, instead of before which was exactly the same except to access
unencrypted files, he will somehow be immune from persecution this time even
though he still has the ability to identify infringing material by the traffic
sources and bandwidth usage of individual files.

The tie in with web hosting companies adds an ounce of legitimacy to the
affiliate program that originally led sites like the defunct tv-links.co.uk
etc to throw traffic at their paywall last time but it won't be even close to
enough if tomorrow there's millions of mega links on all the streaming and
download indexing sites.

This will be very interesting to watch unfold.

------
bluegate010
The Javascript for Mega looks very messy; all resources loaded via XHR,
loading jQuery but using `document.getElementById` all over the place, using
client-side Javascript to validate the integrity of all these XHR-loaded
resources...

They say that this is their first Javascript coding; they should really get
some talent on board to clean this up.

------
zalew
"Warning: You are using an outdated browser, which adversely affects your file
transfer performance. Please upgrade to Google Chrome."

is this a joke? I'm on FF19

~~~
gee_totes
Really? I'm on FF3 and I didn't get a notice, which was quite surprising.

File upload didn't work though....

~~~
zalew
wow, that's even weirder.

btw thanks for the downvote, whoever that was.

~~~
icebraining
_Resist complaining about being downmodded. It never does any good, and it
makes boring reading._

<http://ycombinator.com/newsguidelines.html>

~~~
onlyup
Reading comments that pull out the rulebook is so much more interesting..

------
vyrotek
That loading/cloud symbol reminds me of something... (<https://stripe.com>)

~~~
nwh
Comparison (<http://i.imgur.com/BZeGm1H.png>)

Definitely a rip-off, and not a particularly well executed one.

~~~
aw3c2
It is a super generic icon in any case.

------
xSwag
I'm not sure if MegaConz is meant to be ironic or not.

~~~
sporney
Defiantly ironic, have you seen his car number plates?

~~~
ricardobeat
Not sure if you meant 'definitely', but that works even better :)

------
ukd1
My first upload:
[https://mega.co.nz/#!jFlzGQiZ!CL2dMi5IAYLUp3ZQ5JS7nmW0sYtudf...](https://mega.co.nz/#!jFlzGQiZ!CL2dMi5IAYLUp3ZQ5JS7nmW0sYtudfUchdIPcdz6oGg)

~~~
dexter313
It says, Temporarily unavailable

~~~
ukd1
It should be the HN logo!

~~~
dexter313
Now it says Infinity:NaN:NaN regarding the estimated time to download. :)

And the file is just 4KB.

------
cgio
Reading the comments about de-duping,I think one can identify a very
attractive monetisation path for mega. The largest percentage of traffic mega
achieves, which is largely supported by the huge free space, the biggest the
incentive for ISPs to resort to a service from mega for de-duping and caching
mega traffic. It would not be unexpected if a "mega appliance" comes up in a
few months for "distributed", high-performance mega usage. I do not remember
the statistics exactly, but megaupload used to have a significant percentage
of global traffic. Albeit, anyone could cache that traffic. Now, mega holds
the keys to that. Some strategic and gradual approach is required, though,
before ISPs take notice of that and pro-actively degrade mega's services (the
other article about Google paying Orange for preferential QoS is relevant)
before it gets the required momentum. Just a thought. What do you think? Is
mega really holding a lock on this kind of information?

------
egeozcan
Trying to access from Germany: <http://i.imgur.com/Iw70r1U.png>

------
69_years_and
I think maybe Kim is a little smarter this time by not having his servers
easily accessible by the US authorities, exactly where those servers are
remains to be seen.

For me, mega.co.nz is at 154.53.224.166, which is Africa allocated,
administered by afrinic.net who seem to be on a small island off the coast of
Madagascar.

------
edwardy20
There are a million cloud drives out there (some with advanced privacy
features), what's different about Mega?

~~~
josephagoss
Honestly? I think its the marketing, Kim kind of has his own brand going on
here.

------
neya
The big red button is beautiful. But adding just a

    
    
        cursor:pointer;
    

would have made a HUGE difference to the button itself and to the User's
experience, clicking on it. Sigh, when will start-ups start paying attention
to UX?

------
orionblastar
SSL Poor error, cannot connect to server.

Is it down, or is my ISP blocking the SSL certificates so I cannot use it?

I am using Google Chrome.

I assume the site was DDOS'ed or failed under heavy bandwidth.

~~~
cwoebker
I had to type the url exactly like this:

<http://mega.co.nz/>

Other links just failed for me. They definitely messed something up. Or I am
missing something central here.

------
fredgrott
I have a question..maybe it has already been answered. From what I know of
security we have hash and other collisions in Virtual Machine systems and
obviously that can be used to gain access. with Mega using always two hosts
for a a piece of data assuming that they might be using some cloud structure
how would this type of attack be prevented?

------
andrewbaron
Seems like people who care about encryption when using the service are
essentially putting their faith in Kim Dotcom's hands. If the FBI, e.g. were
to break the encryption, people would probably lose trust in the service.
Dotcom is carrying a lot of weight on his shoulders in acting as the security
agent.

------
Alphasite_
How exactly does this work, if they don't have access to the original?

> 8\. Our service may automatically delete a piece of data you upload or give
> someone else access to where it determines that that data is an exact
> duplicate of original data already on our service. In that case, you will
> access that original data.

~~~
g_lined
They take a hash of every X MB of your data before upload. If the hash already
exists, then they don't upload it. You just get added to the access list for
that particular chunk along with the others who have uploaded it.

~~~
A1kmm
That can't be the whole story. If Megaupload gives you access to the
ciphertext encrypted with a key that neither you nor Megaupload has access to,
that is useless.

------
vitobcn
According to Kim, over a 100,000 users registered in under an hour
(<https://twitter.com/KimDotcom/status/292702999078387712>). Pretty
impressive, and it explains the slow responsiveness of the site.

~~~
rplnt
Much ado about nothing. He's pretty clever.

------
thehodge
Just signed up; was quick, smooth and has a nice interface.. was expecting it
to get tonnes of visitors and be down for the next few hours but either noone
is there yet or they've been very prepared

EDIT: Spoke too soon

~~~
schmrz
Not really sure about the quick part. I'm still trying to get to the website.
The loading animation on start up was incredibly slow and now the site isn't
responding at all.

Edit: I'm trying to access it from EU if that makes any difference. Seems like
http 500 error is returned for assets hosted on eu.static.mega.co.nz.

~~~
Kudos
They load everything from *.eu.mega.co.nz for me, so presumably everything is
fairly close to you.

------
DriesS
A lot of people say that megaupload is back, but if I'm not wrong this is
totally something different then megaupload or do I make a mistake?

You can't share a link with the public anymore, only with an emailadres.

~~~
benologist
Gizmodo says you can share them with a link

[http://gizmodo.com/5977265/how-megas-encryption-will-
protect...](http://gizmodo.com/5977265/how-megas-encryption-will-protect-you-
but-mostly-kim-dotcom)

which makes it no different to before, except this time they're hoping
deniability is better than openly facilating piracy in their internal
communications.

------
markshead
It appears you can upload a file without creating an account. So without
generating a key first. Or at least without generating a key that is somehow
protected by a password.

------
micheljansen
After signing up, MEGA suggested that I download Google Chrome to use the
service (I was using Safari). I was expecting some affiliate link there, but
there wasn't any.

~~~
frewsxcv
Well, why do you use Safari?

~~~
nessus42
I use Safari because in my experience Chrome is rather buggy on a Mac.
Particularly with regard to Spaces. E.g., if I move a Chrome window to a
different Space, all of my other Chrome windows will tag along for the ride.
It makes using Chrome rather unbearable. Additionally, Safari's interface for
managing bookmarks is much nicer.

~~~
ktsmith
I use Chrome on a Mac with a half dozen spaces with multiple monitors and have
never had problem moving between spaces. Out of curiosity are you using the
release, beta or dev channel?

~~~
nessus42
I just use the standard release of Chrome. I Googled about the problem several
times and all I could find out is that some people experience this issue and
others don't, and no cure was known. The problem did not go away via numerous
upgrades of Chrome, so I eventually gave up.

------
fredsted
Perhaps he should have launched it like Gmail: Gradual launch with invites.
Launching a file sharing site with this much media attention is surely going
to crash it.

~~~
rplnt
No one would want an invite. You need huge amounts of users to successfully
run a sharing portal.

~~~
lucb1e
I think lots of people would actually want an invite, me included.

------
dexter313
woot!?

[https://twitter.com/KimDotcom/status/292707119424229376/phot...](https://twitter.com/KimDotcom/status/292707119424229376/photo/1)

------
Corrado
Someone needs to make a "Mega" adapter for OpenPhoto. Mega's prices are pretty
good; better than S3 and Dropbox and in-line with Box.net.

------
rplnt
Horrible site. Ignoring the fact it doesn't work in older versions of Opera,
it's like early 00's and full-flash sites all over again.

~~~
guessWhy
It looks fine to me ?! Flash is not used at all and the design shows some
taste.

~~~
rplnt
It's not "not nice", I like the design. What I didn't like was the loading and
that reminded me the era of full-flash sites. Maybe the loading took much
longer because the site is overloaded and it will be OK later.

------
Lisa2000
The site claims safer but it doesn't feel safer. The first click opens my
files for me to select one to upload, yet why am I going to upload a file to a
completely unknown entity? Who is/are Mega? What gives user confidence to
entrust (confidential / personal / business) file uploads to Mega? There are a
few steps missing here, I would work on building customer confidence. Unless
you are aiming for uploads within a network of people who know and trust you
for other reasons. Good luck.

~~~
georgeorwell
If you don't hold the copyright over the files, who cares?

------
ForFreedom
I like the web design. But its a wait and see how far they will get along. Any
idea where their servers are hosted? server farm?

------
navs
I'm curious about the 'made in new zealand' line in the footer. Was there an
NZ dev team involved? I'd love to know who.

------
cmelbye
Heh, interesting that the site so proudly says "Made in New Zealand" despite
the fact that New Zealand raided his home.

~~~
navs
Unfortunately, he seems to be well liked here in Auckland. They even made him
Santa: [http://www.stuff.co.nz/auckland/whats-on/8073823/Kim-
Dotcom-...](http://www.stuff.co.nz/auckland/whats-on/8073823/Kim-Dotcom-plays-
Santas-lovechild)

------
arunoda
I can access their web app. But I cannot upload anything. even a 10 kb files.
it says pending.

Seems like they can't handle the load.

------
B0Z
Last night I experienced 70% packet loss just trying to access the site.
Hopefully it was just a launch hiccup.

------
dud3z
It looks like debug can be activated in the javascript console: type "d=true",
navigate, look at your console.

------
colevscode
Speedtest reports: 5 Mb/s upload speed

MEGA reports: 500 B/s upload speed

:/

------
nextstep
So far I'm impressed with how easy it is to sign up. This interface seems
clean and polished.

------
GowGuy47
How much storage does the free version allow is my question... Couldn't find
it any where

~~~
ditojim
50gb - It has been mentioned in a few articles but I did not readily find the
info on the site.

~~~
icebraining
It's in Help center: Account. <https://mega.co.nz/#help_account>

------
denzil_correa
Wonderful slick and clean interface. Hate him, Love him but you just can't
ignore him.

------
rikacomet
The site is down for me, earlier, access was denied, to control the extra
traffic.

------
brianbreslin
completely not intelligent comment, but i read the url as Mega CONS. as in
mega con-artist. never before had a NZ domain triggered that reaction in my
mind.

------
dennisgorelik
I'm getting "This webpage is not available"

------
attheodo
And embraces flat design apparently :p

------
alternize
hum, is it just me or is there really no way to change the email address
and/or the account password?

------
zeynalov
For now, upload doesn't work.

------
jordanbaucke
registered. confirmed. nothing after that.

~~~
xanadohnt
Same.

------
arrowgunz
Guys, any idea if they have an iOS app?

------
apathetic
and... it's down.

------
glazskunrukitis
Much ado about nothing.

~~~
nullymcnull
He's claiming 100K registered users in less than one hour. That's nothing?

~~~
glazskunrukitis
100k users just confirm the fuss. Another question is if there is any real
value to this service.

~~~
nullymcnull
Apparently some 100 million users found his previous file sharing service to
be of some value, until it was shutdown that is. What's difficult to see,
however, is what value your pointless dig brings to this discussion.

------
drivebyacct2
So, it generated a key... which is being stored where? I can't seem to
download it?

~~~
aw3c2
If you could download it, what use would it have. ;)

~~~
drivebyacct2
Huh? If I were keeping it truly completely private then only I would have the
private key. So presumably it generated one with Javascript stored in my
session so I would need to back it up in order to login later and access my
data.

However, that's not how Mega works. They're still storing a symmetric key on
their server. They're just encrypting before storing for deniability reasons.
<https://mega.co.nz/#developers>

------
rorrr
It freezes during the registration process in both FF and Chrome.

EDIT:

It's because AJAX return "500 server too busy" error.

------
thoughtcriminal
I'm getting a paid account. Help the brother out.

------
alexqgb
The clean interface makes the tagline (lifted from Daft Punk w/o credit) that
much more conspicuous. Clearly, some things haven't changed.

~~~
foobarqux
The Olympic motto, which is virtually identical, pre-dates Daft Punk.

~~~
kami8845
You know, you could've just told us instead of making us look it up :)

>The Olympic motto is "Citius, Altius, Fortius." These three Latin words mean
"Swifter, Higher, Stronger."

~~~
foobarqux
Sorry, I should have thought to state it. But I have usually seen it
translated as "Faster, Higher, Stronger"

