It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Wireshark color codes Color is your friend when analyzing packets with Wireshark. Notice in the example above that each row is color-coded. The darker blue rows correspond to DNS traffic, the lighter blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic. Wireshark includes a complex color-coding scheme (which you can customize). The default settings appear below:
this should raise your eyebrows, ... this is really bad PR and there should not be a compromise between security and convenience.
Originally posted by kwakakev
I do have a somewhat restricted internet quota and have not seen the video, but done a little research into it. I am not saying UCE is a bad system, but it does have its limitations and is not suited for every application.
Personally, if I was to use Mega's service I would encrypt all the files using some other process before uploading any sensitive information, just to be sure because at the end of the day it is my responsibility if I get hacked.
Generally I do prefer to wait for any new security systems to get some real world battle testing before putting some trust in it.
One weakness that has been identified with the system is with the trust that is placed with Mega and their ability to quickly update the system.
With servers placed in America they do have obligations to abide by America law, which has been growing in its ability to breach privacy and access information. With a court order,
it is possible for Mega to grab a copy of the users encryption key, without the users knowledge.
By moving away from Javascript to a peer reviewed browser plugin it will help close this hole, but reduces the ability to update the system. Perhaps in time as the system becomes more stable it might be an option or branch.
Actually I consider this hacking event as very good PR. Evernote performed a very responsible reaction to what is an unfortunate, but realistic event. Most companies just pretend it does not happen when it does, which further increases the risks and insecurity. The hash and salt done their job and provided the time so all account passwords could be reset. Even if the hackers had a massive bot network ready to go with a brute force attack it still would take some time to break the passwords. If the website just used a common hash without a salt then some of the passwords might have been discovered a lot quicker from rainbow tables.
But if a hacker can get administrator access to your server they can just bypass the whole user password login and take or alter whatever they want. The more you get into computer security, the more realize that it is all about compromising security with convenience.
it is possible for Mega to grab a copy of the users encryption key, without the users knowledge.
i have not seen anyone say that before, is that opinion or fact?
While Mega uses Javascript to perform all the client side scripting it is a fact. The Javascript is reloaded every time you visit the site so while Mega may not take a copy of your key today, there are no technological hurdles to stop them taking it tomorrow. Only the trust that is placed in the site helps prevent this, but could come under a lot of political and legal pressure depending on who uses the site and what watch list they are on. It is feasible with the central management facility that different Javascript versions are provided to different members, ones that copy keys and ones that don't. Until a more secure client side scripting service is used there is a risk.
It is possible for you to see the source code each time you access the site and work out what is going on. But it does take quite a lot of effort and depending on how much Javascript is used can become quite messy.
If it is discovered that keys are being copied, at least for some accounts there will be a big public backlash. If Mega refuses to play ball with the authorities then their servers could get shut down. It is quite an interesting position Mega is getting itself into and quite likely make headlines one way or another.
Information and Privacy
43. We reserve the right to disclose data and other information as required by law.
Originally posted by kwakakev
reply to post by XPLodER
The main recourse Mega has to preserve its ability to legally maintain all encryption processes is to undertake some legal shopping to find a jurisdiction that is more favorable of the privacy issues and place all of their servers there. DNS withdrawal and financial account closures as with wikileaks could still be one option available to the US if there is a strong desire to get into the systems as well as other challenges through international law.
If Mega has invested quite a large legal undertaking into their systems then any source code provided for review may have some non disclosure aspects tied to certain functions, which would be withheld as external review processes where undertaken. Only with administrator access to their servers can there be certainty as to what code is being used, something that is not expected due to many security implications. But if most of the source code is released and gets good reviews then other similar services could also be quickly established without all the public attention that is on Mega. There are still confidentiality and Intellectual Property issues with this, but a possibility.
During a panel at the RSA Conference, a security-focused industry gathering here last week, Brendon Lynch, chief privacy officer at Microsoft, declared that companies like his had come to appreciate the "market forces at play with privacy "It's not just privacy advocates and regulators pushing," Mr. Lynch said. "Increasingly, people are concerned more about privacy as technology intersects their life."."
"What does privacy mean?" Facebook's chief privacy officer, Erin Egan, asked at the RSA Conference. "It's understanding what happens to your data and having the ability to control it."
Whether Internet users are ready to pay to protect their personal data is unclear, though surveys have repeatedly pointed to consumer anxiety.
In a national survey last year, Forrester Research found that one in three consumers were concerned about companies having access to their behavioral data. More than 40 percent said they had stopped short of completing a transaction on a Web site because of something they read in a privacy policy.
Consumer trust is an increasingly vital commodity for Web companies, said Fatemeh Khatibloo, a Forrester analyst. "There's enough market traction and momentum from the consumer side and the business side to drive this forward," Ms. Khatibloo said.