Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Slashdot Deals: Prep for the CompTIA A+ certification exam. Save 95% on the CompTIA IT Certification Bundle ×

Comment Re:not bashing Kim (Score 1) 90

You offer a reasoned and objective interpretation of this encryption scheme. The part you mention about user-friendliness is important for consumer adoption of a cloud service like this, but it's also the easiest part of the architecture to compromise.

Like you, I haven't thoroughly reviewed the MEGA security architecture, but I've tested the service and can make educated guesses to how it's working. Both keys are stored on the server. The user submits a passphrase that is claimed to be used by javascript on the client side to decrypt the key used on the client side of the transaction.

As you suggest, the javascript can be modified transparently to the end user. There is no assurance to the end user that the passphrase is not sent to the server to be used by the administrator to decrypt the key (that's stored on the server) and then access the user's content.

This security is a technical fallacy. The operators are purporting it to be secure, but they knew from the beginning that the encryption depended on the goodwill of the operators. If the keys don't reside in the hands of the end-users, it's not the real encryption solution Kim Schmitt has been selling.

Comment strongest attack vector in existence (Score 2) 119

I know there are still a small percentage of people out there that still click on every email link they get, but I would hope that phishing is a dying art and not much would ever come of this. I know that most of the people I supported would not be this amazingly stupid, nor would many in the entire company.

If you work in an IT capacity, I suggest you rethink architecting your security profile based on trusting users not to click on links sending them to websites hosting malicious exploit code.

You might have the smartest CS graduates working in your organization. Each one of them has a computer-inexperienced relative whose had their email compromised in one way or another. From those compromised email accounts, messages are sent to your coworkers that can contain solicitations to view content hosted on a remote website. The possibility of your teammates following those links is especially high. Once the exploit code has hit the desktop OS, it's inside your network. If you have vulnerable routers, the attackers can use the beachhead of the first compromised desktop machine to change the DNS settings on the network router. Now, every single user in the organization is vulnerable to being redirected from "" to "" while they still only see the friendly google search page in their browsers when they try to do a search.

Don't trust the end users. They're the weakest member of your corporate security.

Comment not bashing Kim (Score 1) 90

I'm not saying Kim is the one who shouldn't be trusted. I'm saying the implementation cannot be considered to be 'encrypted'. If the operator has the ability to decrypt the contents of the cloud-shared files, then the content is subject to national security letters, snooping, hacking, etc. If the operator of Mega has to be trustworthy, then the implementation can't be trusted because the operator is the easiest part of the architecture to compromise.

Comment don't trust new mega competitor (Score 1) 90

This is a very telling quote--

As a result of this and a number of other confidential issues I don't trust Mega anymore. I don't think your data is safe on Mega anymore.

If his implementation of Mega was dependent on the 'trustworthiness' of the operators, then it was never truly encrypted. Nor should we expect his next iteration of cloud filesharing to be fully encrypted.

Comment Re:The enemy of my enemy != my friend (Score 1) 95


If this were a turf war, the spoils of the compromise would not have been laid out on the lawn for the world to see. The contents would have been used against the Hacked Team to disrupt their business and then added to the attackers own product catalog. In this scenario the market value of the stolen intellectual property has been nullified.

Comment Phillips not the first with harebrained schemes (Score 1) 279

What are all those scientists, engineers and business experts at a huge multinational corporation thinking?

Probably they're thinking, "I really like this paycheck. The product we're developing has no chance of gaining traction in the marketplace, but that's my boss' fault for coming up with this idea in the first place."

Do you really think those people are going to argue with management that they shouldn't have a job developing this concept?

Comment Re:Real Apologies (Score 2) 452

Dan's completely accurate here. It makes me wonder if this (avoiding 'I' and using 'we') isn't the type of product that comes from Crisis Management PR firms who are brought in by CEO's in similar situations. As a consultant, their #1 goal is to please the person who signs their paychecks. When they craft apologies like this, the priorities might not be so much to soothe the audience as it is to present the boss with a response that's palatable to the boss. It would be unnatural for them to go into a meeting and kick Ellen Pao in the butt and say, "You need to grovel and beg the internet to take you back!"

Instead, the PR Crisis Consultants wrote an apology that didn't at all make nice with the Reddit community, but it certainly tricked Ellen Pao into thinking it would. Her inability to anticipate these backlash responses to her decisions are exactly why she is not a good fit to lead a community-based organization like Reddit.

Comment Re:Find the source code on GitHub (Score 1) 95

They are to explain the reasoning behind the code.

This is a huge purpose for comments. Also, maybe I can interpret the code perfectly well without comments. How well can I depend on everyone else who is modifying the code to be able to interpret it properly.

Well-documented code helps protect it from the introduction of bugs by later contributors.

Comment Re: ssh into kpcli (Score 1) 206

anything else i can do?

Modify SSHD config to listen on non-standard port. It will greatly diminish the log traffic you'll see of failed attempts. This could be important if you're using fail2ban as well and don't want your iptables to bloat unreasonably.

Stay away from configuring port-knocking. It becomes a real pita when you want to scp a file at the spur of the moment.

Comment no training?? (Score 3, Informative) 385

You're talking about a profession that in many cases has either no training or dubious training.

This is a field that requires a masters degree and certification.

You're probably thinking of faith-based social organizations that attempt to provide counseling services. Those agencies do not provide effective treatment for the ailments you mentioned. At best they might be able to provide some marriage counseling assistance.

Comment Re:Five stars for.. (Score 1) 246

I agree with all your examples. However, I recoiled during a couple of moments where the story was being read out loud, perhaps at the demand of a producer, as if the audience needed the plot points fully highlighted and underlined.

Obviously the beginning carries a lot of narration that heavy-handedly prepares the setting for the story. Entirely unlike the first 20 minutes of "There Will Be Blood"-- masterful storytelling by Paul Thomas Anderson.

The big shocker to me was near the end where Max fully explains the strategy of attempting to retake the Citadel while the boss is away, then THE BOSS EXPLAINS THE STRATEGY again. This is in stark contrast to the switcheroo ending of Road Warrior where the audience learns of the clever ruse at the absolute very end of the film. Why couldn't George Miller have Furiosa spontaneously turn around with everyone confused about the agenda? Because the strategy is totally explained to the audience, the last 15 minutes of the film is kind of a foregone conclusion.

We want to create puppets that pull their own strings. - Ann Marion