In this article, I will have a quick look at the new cloud storage company, MEGA.


Megaupload founder Kim Dotcom claimed a “massive” response to his new file-sharing service Sunday, launched exactly one year after he was arrested in the world’s biggest online piracy case.

The website, which replaces the outlawed Megaupload, went live at dawn, on the anniversary of armed police raids on the New Zealand-based Internet tycoon’s mansion in Auckland which saw him arrested and the site shuttered.

The 38-year-old German national, who changed his name from Kim Schmitz, is now on bail as US authorities seek his extradition on a range of charges including money laundering, racketeering and copyright theft.

Dotcom hopes the new venture will repeat the success of Megaupload, which boasted 50 million visitors daily, and initial demand triggered overloads that caused long delays in accessing the site.

His lawyer Ira Rothken said they were satisfied the new service was legal and that Dotcom believed it was the “most legally scrutinised start up” ever.

The website offers offers cloud storage with state-of-the-art encryption to ensure only users, not the site administrators, know what they are uploading.

That would theoretically stop authorities from accusing administrators of knowingly aiding online piracy, the central allegation facing Dotcom in the Megaupload case.

Despite the system overloads, Dotcom expressed delight with the rollout, tweeting within an hour of the launch that there were already 100,000 users registered in possibly the “fastest growing start-up in Internet history”.

An hour later, with 250,000 registrations, he said: “Site is still overloaded. Massive demand. Incredible.” He said server capacity was on maximum load and that access should improve when the “initial frenzy is over”.

Kim Dotcom smiles as he speaks during an interview with Reuters in Auckland January 19, 2013. REUTERS/Nigel Marple

What is MEGA exactly?

MEGA is a cloud storage provider. It offers free and paid Internet-accessible storage space and bandwidth. It allows you to store and access your files from within your browser or hopefully soon, through dedicated client applications.


My first question was, why in New Zealand of all places?

According to the web site, there’s a few reasons for this.  One of the reasons is that New Zealand’s native Māori name is “Aotearoa”, which means “Land of the long white cloud”.


What do I get with my free account?

A globally accessible, high-performance, secure cloud drive with 50 GB of storage space. If you need more than that, you can always upgrade to one of their paid plans.


Can MEGA be used on mobile devices?

At the moment the answer is no but, according to the web site, this is planned for the future.


Are there any file size limits on MEGA?

They do not impose artificial limits on file sizes other than your available cloud drive space. However, some legacy or technically inadequate browsers require the entire file to be stored in memory for downloading (Firefox, IE10, Opera), or for both downloading and uploading (IE9, Safari 5).


How does the encryption work?

All encryption is end-to-end. Data uploaded is encrypted on the uploading device before it is sent out to the Internet, and data downloaded is decrypted
only after it has arrived on the downloading device. The client machines are responsible for generating, exchanging and managing the encryption keys. No usable encryption keys ever leave the client computers (with the exception of RSA public keys).


What encryption algorithms does MEGA use internally?

For bulk transfers, AES-128, according to MEGA  (the higher CPU utilization of AES-192 and AES-256 outweighs the theoretical security benefit, at least until the advent of quantum computers). Post-download integrity checking is done through a chunked variation of CCM, which is less efficient than OCB, but not encumbered by patents.

For establishing shared secrets between users and dropping files into your inbox, RSA-2048 (the key length was chosen as middle grounds between “too insecure” and “too slow”). All encryption, decryption and key generation is implemented in Javascript, which limits throughput to a few MB/s and causes significant CPU load. They are looking forward to the implementation of the proposed HTML5 WebCrypto API in all major browsers, which will eliminate this bottleneck. Javascript’s random number generator is augmented by a mouse/keyboard timing-driven RC4 entropy pool.


Is data that I put in shared folders as secure as my other data?

Shared folders, by nature, are only as secure as their least secure member. However, a compromise of the MEGA core server infrastructure poses an additional risk: Public keys could be manipulated, and key requests could be forged.


How does the folder sharing work on MEGA?

You can share any subtree of your cloud drive with friends, family or coworkers. Invitation is by e-mail address. Invitees who do not have an account yet will receive an e-mail notification with a signup link. Alternatively, you can create a public link to any of your folders and export the folder-specific crypto key, making it accessible without a MEGA account. It is then your responsibility to securely transmit the folder key to the recipient(s).

To establish, modify or delete a share, simply right click on a folder in your file manager and select Sharing. There are three access levels: Read-only, read/write (files can be added, but not deleted), and full (files can be added and deleted). If you added an e-mail address that did not have an account yet, you need to be online at least once after the recipient completes the signup process so that you can encrypt the share secret to his newly created public key.


I have forgotten my password. Can I reset it?

Unfortunately, your MEGA password is not just a password – it is the master encryption key to all of your data. If you lose it, you lose access to all of your files that are not in a shared folder and that you have no previously exported file or folder key for.  So, remember this when signing up for your MEGA account.  It is this password that we are speaking of.


Is all of my personal information subject to encryption?

No. Only file data and file/folder names are encrypted. Information that they need operational access to, such as your e-mail address, IP address, folder structure, file ownership and payment credentials, are stored and processed unencrypted. Please see their privacy policy for details.


Is my stored data absolutely secure?

All security is relative. The following attack vectors exist – they are not specific to MEGA, but, it is good to know about the risks: Individual accounts are jeopardized by:
– Spyware on your computer. A simple keylogger is enough, but session credentials and keys could also be extracted from memory or the filesystem.
– Shoulder surfing. Do not type your password while someone could watch your keystrokes.
– Password brute-forcing. Use strong passwords.
– Phishing. Always confirm the security status of your connection (https://) and the correct domain name ( before entering your password.

Large-scale attacks could be mounted through:
– A “man in the middle” attack. Requires issuing a valid duplicate SSL certificate in combination with DNS forging and/or attacks on the MEGA BGP routes (a DigiNotar-style scenario).
– Gaining access to the webservers hosting and replacing that file with a forged version (this would not affect access through the installed app base). Note that manipulating content on their distributed static content CDN does not pose a security risk, as all active content loaded from index.html is subject to verification with a cryptographic hash (think of it as some kind of “secure boot” for websites). This type of attack requires sending malicious code to the client and is therefore detectable.
– Gaining access to the MEGA core server infrastructure and creating forged key requests on existing shares. This type of attack only affects data in shared folders and is detectable on the client side as well.


Let’s assume that a MEGA storage node is physically compromised. What are the risks?

Error messages after downloading manipulated files. Even if the attacker had the encryption key for a given file on that node, he could still not replace it with a forged one without causing the subsequent downloads to fail.


Is it a good idea to store all of my data in a single place?

Always keep redundant copies of important files, online and offline. Although MEGA keep each file in at least two locations, there is no guarantee against multiple concurrent failures and repeated unprecedented government misconduct.


Why should I entrust my data to MEGA?

They provide for user controlled encryption (UCE) where the you, the user, control the keys. The UCE implementation is open source, and they invite and encourage the community to scrutinize it and provide feedback. I believe that this approach is much safer than storing your data on a provider with server-side encryption where the ISP controls the keys or, worse, no encryption at all – if, for example, MEGA user files were suddenly accessible without a password due to a programming error, they would be unreadable without the user-controlled decryption keys.


I noticed that MEGA is using HTTPS for transferring already encrypted file data. Isn’t that redundant?

It is. Unfortunately, most browsers take offence with establishing insecure connections from a secure page, and who could blame them for that – they can’t possibly be aware of the fact that there is another encryption layer already in operation. Because HTTPS has an adverse  effect on performance, they allow you to turn it off on browsers that allow it (Internet Explorer does not) to speed up your transfers without jeopardizing the confidentiality or integrity of your data. You will see an SSL warning appear upon your first file transfer in some browsers – in this (and only in this)  case, it is safe to ignore.


Is MEGA right for me?

This is something you, the user, will have to establish for yourself.


Is MEGA accessible to people who use screen readers?

Yes.  However, the fact that there is no client at present, will make for a really bad experience if you are used to DropBox and other similar services.  It must also be noted that Internet Explorer and Firefox doesn’t play well.  You should use Chrome if you want to enjoy the service.