Though it launched to considerable fanfare, Kim Dotcom’s Mega encrypted storage service has recently drawn fire from the press thanks to supposedly questionable security practices. Well, Mr. Dotcom is none too pleased with the conclusions that some news outlets have come to, and has taken to the official Mega blog to address some of those issues head-on.
There were plenty of sites that echoed those initial security concerns, but Dotcom focused on debunking claims in two pieces published by Ars Technica and Forbes, respectively. Most of his post runs through rather dry explanations of why the assertions in those pieces weren’t completely accurate, and some of his points are oft-repeated best practices for using the Internet (he says the recently touted MegaCracker tool is “an excellent reminder not to use guessable/dictionary passwords” for instance). Still, some of his comments do point to some changes in the works for the nascent secure cloud storage service.
Take the issue of passwords for instance. Ars Technica’s recent story notes that Mega doesn’t have a password recovery system in place and notes the potential problems that could arise because of its absence. After all, if the key needed to decrypt your files hinges on your password, forgetting it could leave you completely unable to access your stored goodies. While he admits that is indeed the case, Dotcom notes that it won’t be going in the “near future.” He says that a secure password change feature is in the works, as is a reset mechanism to partially aid the tragically forgetful:
A password reset mechanism will allow you to log back into your account, with all files being unreadable. Now, if you have any pre-exported file keys, you can import them to regain access to those files. On top of that, you could ask your share peers to send you the share-specific keys, but that’s it – the remainder of your data appears as binary garbage until you remember your password.
Ars also took issue with how the service uses keyboard inputs and mouse movements to add entropy (and by extension, security) to the RSA keys it generates. While signing up for the service, users are treated to a splash screen that says that’s exactly what’s happening, but Ars’ Lee Hutchinson wasn’t convinced that was the case since the statement remained very vague about when those entropy-enhancing movements were recorded (and I can’t blame him). To address that pain point going forward, Dotcom also notes that some changes for that part of the onboarding process are in the pipeline:
We will, however, add a feature that allows the user to add as much entropy manually as he sees fit before proceeding to the key generation.