Mega co-founders unsurprisingly in Spat Over Crimes, Security

A photo of Megaupload founder Kim Dotcom

Kim Dotcom, founder of Megaupload
Photo: Hannah Peters (Getty Images)

Remember Mega, the encrypted cloud storage company? Nope? Well, you might remember its predecessor, Megauploadthe file hosting provider that was accused of serving as a haven for licensed hackers in the mid-2000s and was later firm by the authorities. Prior to its closure, Megaupload was considered the premier site for people who wanted to flout intellectual property law, until the federal government took it down in a spasm of regulatory revenge. This was the site you could have landed on with just a few clicks of a Google search for “Breaking Bad full episodes”.

In 2013, after Megaupload bite the dustoriginal founder Kim Dotcom (whose real name is Kim Schmitz) and other former executives Bram van der Kolk, Mathias Ortmann and Finn Batato created a new company from the ashes of the old one, launch of “Mega”. Dotcom finally bowed out of the company, but Mega persevered for most of the last decade, promising users that it was a safe and inexpensive way to store and secure their files.

But this week has been quite difficult for Mega. Not only van der Kolk and Ortmann to plead guilty to crimes related to its predecessor, angering Dotcom, but researchers found evidence that the company’s infrastructure had security flaws that could allow the decryption of user data. Mega has long promised its users that their data is protected by end-to-end encryption– which means it’s supposed to be hidden from everyone except the user. But that’s just not the case, as the company admitted in a blog post about patching the vulnerability.

Dotcom, which has been similarly charged but maintains its innocence, wrote of its former business partners: “Mathias Ortmann and Bram Van der Kolk stole Mega from me for a convicted Chinese criminal… Shady guys who just made a deal with the US and New Zealand governments are backing out of the US extradition case by falsely accusing me. Delete your Mega account. It’s not prudent.”

Two founders of Megaupload plead guilty

The court case against Bram van der Kolk, Mega’s chief system architect, and Mathias Ortmann, listing as co-founder, stems from their time with Megaupload, an authority platform allege has been used to facilitate large-scale illegal trafficking distribution of copyrighted material. After the company’s implosion in 2012, van der Kolk, Ortmann, Dotcom and Batato immediately found themselves embroiled in legal issues over their alleged roles in the site’s most shady activities. Authorities in the United States and New Zealand (where they were arrested) accused the old website of being a piracy hub and the site operators of being well aware of the use of their product. Over the past decade, all four have been part of an ongoing court case and have been threatened with extradition to the United States, where federal officials have expressed a desire to indict them in a US court.

The extradition procedure was fall against Batato last year, and he died of cancer earlier this month. Ortman and van der Kolk, meanwhile, to plead guilty charges brought against them in New Zealand on Tuesday in a bid to avoid extradition. The two men pleaded guilty to having been part of an “organized criminal group” that illicitly profited from copyrighted material. They each face up to 10 years in prison. Dotcom, meanwhile, has maintained his innocence, and it is unclear whether he will face extradition to the United States.

In an interview with Things, van der Kolk said he envisions his future work at Mega: “We have worked incredibly hard on Mega and we are convinced that our rehabilitation process began a long time ago. We’re very proud of what we’ve built and we can’t wait to keep building because we still have a lot of work to do.

When reached for comment on Wednesday, a Mega spokesperson noted that this particular legal case has been ongoing for a long, long time:

The charges against Mathias Ortmann and Bram van der Kolk relate to activities 10 to 20 years ago, when the internet was in its early stages of development. Similar actions have been taken by many other companies, including Youtube and Rapidshare, but without the same draconian criminal charges being brought.

Dotcom, meanwhile, hasn’t been involved with Mega for several years. We’ve reached out to Dotcom for comment and will update this story if he responds.

Researchers say decryption is possible

In addition to the legal news, Mega also suffered a reputational damage this week with the disclosure of new security issues.. For a long time, the company claimed that it secures user data with end-to-end encryption. In a blog post, the company writing“As long as you make sure your password is strong and unique enough, no one will ever be able to access your data on MEGA. Even in the exceptionally unlikely event, all of MEGA’s infrastructure is seized!

But there’s a problem with those promises, say researchers at the University of Zurich, who published a study on the company earlier this week. In fact, there are a number of situations in which user data can be decrypted.

Researchers say Mega’s encryption can be broken by anyone with access to the company’s backend infrastructure. In other words, the company itself – or someone with access to its internal tools – has the ability to decipher user data under certain circumstances. The researchers said the cryptography that Mega uses to secure the data has a number of fundamental problems, which allows the decryption of the data. To find out the full extent of these security issues, you can head to the researchers website.

On Tuesday, Mega finally admitted that security issues were a thing and posted A declaration acknowledging that a security update had been released to address an associated vulnerability:

“Today, MEGA released software updates that address a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. Further updates addressing issues identified less Serious events will follow in the near future. MEGA is not aware of any user accounts compromised by these vulnerabilities.

When contacted for comment by Gizmodo, the company further sought to downplay the severity of the security risks. The majority of security issues have already been fixed, and more will be “resolved through client updates over the next few days,” a spokesperson said. He added:

Please note that the most significant discovery required a client to log in over 512 times, while being observed by the malicious attacker. This number of logins has only been surpassed by a tiny percentage of our 250 million registered users.

While this seems to narrow the field of potentially affected users, it’s still not a great look for a company that has promised to keep your data hidden.


Comments are closed.