>"Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data."
What the actual fuck? Isn't all my data supposed to be private and encrypted in a way so that only I can know the contents of my uploads?
That would mean they use the same encryption key for everyone. Then what's the point of encrypting it at all? Mega would know the decryption key, which is as good as law enforcement knowing it.
that's only if they were encrypted with separate keys. if they were encrypted with the same key, however, it's self-explanatory how they could be compared to see if they're the same.
Mega claims to encrypt your data at the browser level using your own key that no one but you has access to. If this part of their ToS is true however that means they're lying about that.
>keeping sensitive data on the internet
>not encrypting it locally and the uploading shit
I keep backup of my flacs and games in encrypted 7zips. Can't give two shits what they do with it as long as they saturate my 100mbit connection.
I believe that MEGA should be used for storing your porn. But not child porn. That shit doen't belong on the internet. It belongs deep under encryption on a secure HDD only accessible through SFTP/SSH
Who gives a fuck? MEGA is a great service but you should trust NO third party cloud service with sensitive data. I use MEGA all the time but treat it as if all my data on it is compromised. Any 3rd party cloud host should be treated in this manner.
No, I'm saying the same data encrypted with two different keys will produce two different hashes.
The fact they are able to hash and detect duplicates where the data is claimed to be encrypted with per account private keys mean they are lying about something.
>they probably check by file size
There are plenty of things that have standardized filesizes right down to the bit. ROM dumps for example are usually padded with 0s. If they did that for deduplication then they'd run into problems VERY quickly.
they actually probably check MD5s or something other than file size. I could have two split RARS, each exactly the same fucking byte-age. That doesn't mean they are the same.
If they are able to create hashes of the same data despite differing encryption keys then yes, they must be able to know what it is. They can pinkie promise and say they don't check anything but the hash, but the fact is that if they can hash it they can read it.
i know that separate data encrypted with the same key won't produce the same hash.
i'm saying that they could perhaps store a hash of its (unencrypted) data when you upload it, and this is used to check for duplicates.
just a guess.
Mega was created with the concept of encrypting you data at the browser level before you even begin uploading to their servers.
So either they use your browser to hash files, which also means they can analyze them, or they have some kind of universal key that they can use to decrypt any user's file.
like i said before, a hash alone cannot determine a file's contents. it gives no information about what's in it. correct me if i'm wrong about that.
honestly, i don't know. you'd be wise to trust some of the posts in this thread which state that you should treat it like it's compromised
They need to be able to read the file to create the hash.
What don't you understand about this? Hashes aren't magical, they use the file's data as an input for an algorithm that creates the hash.
yes, we established that. like i said, your browser could be asked to generate a hash to use when the file's uploaded. and that's what i'm saying they -could- use to check for duplicats. what don't YOU understand about this?
If they really hash it before uploading you could exchange the hash for another one and make their system think your file is unique, even if it's not...
Or maybe they just use deduplication on their storage machines just like pretty much any other company that stores a lot a potentially duplicate data? It's a standard thing that everybody uses, they're not decrypting your files, you're all freaking out over noting.
It means they are reading your files and sending info about the files back to their servers.
No, they don't have to analyze the data further than creating a hash, but there is absolutely no reason to assume otherwise.
It's like using Tor to go on the clear web. Yes, you probably won't get a malicious exit node, but you'd be naive to assume that you're not on one.
>Or maybe they just use deduplication on their storage machines just like pretty much any other company that stores a lot a potentially duplicate data?
That's impossible if all the data is encrypted with keys they claim they don't know. Again, the same exact data, bit for bit exact, will produce different hashes if they are encrypted with different keys.
101101 encrypted with the key "fag" will produce encrypted data that hashes differently than 101101 encrypted with the key "nigger".
See the first section.
when did i say they were reading your files? if you read my post properly, i said that -your- browser could generate the hash. all you're sending to their servers is the computated hash. refer to >>42833478 Anon's post.
Hash the file and use that as the key of the file. Hash the encrypted file. Then use this hash as the name of the encrypted file. Then all duplicate files will be detected, but mega has no idea what it is.
Now if you encrypt the header another time with your own unique password, then only ypu can decrypt it and only who uploads the same file can create a password for the file.
What don't you get? All they care about is if the encrypted files are duplicate. Deduplication is widely used on large storages, it does not care whether the file is encrypted or what the key is.
Mega claims to not have the decryption key for any file. So even if they store the hash of the decrypted file and use it to compare it to any uploaded file, they wouldn't be able to provide the decryption key to the existing encrypted copy.
that wouldn't work either, because then if you deduplicated two pieces of data that were encrypted with different keys, someone is going to receive a copy of the data later that was made with a different key
There was a talk where the MEGA developers said that hashes are computed on the unencrypted files. They gave advice for the paranoid at the end of their talk saying that if you don't trust them you should pad, encrypt, and rename your sensitive files before uploading them to MEGA. Seems like reasonable advice to me.
You didn't, I did. To create a hash of a file you must put that file through a program that runs the data as an input for a hash creating algorithm.
Now, if we assume they're creating hashes on your computer, that still means they are reading your (or if you want to be technical, making your computer read your) file to create a hash which they then send to their servers.
In either case data about that file is being sent to their servers.
Like I said before, you can assume all they do is hash and nothing else, but it's just that, an assumption.
You can assume that no one will go into your house if you leave it unlocked in a "good" neighbourhood, but I think we can all agree that's just naive and reckless to do.
With all the NSA bullshit going on why would you assume all they care about is the hash?
if the same data is encryped with two different keys, the two resulting encrypted files are NOT DUPLICATES ANYMORE, they are comprised of different bits, and can only be read with the one corresponding key (not both/either)
MEGA stores both the encrypted files and the keys to those files. They're probably stored on different servers, but whenever I log in I get to see the keys for all of my files, which means that they have them.
So obviously what MEGA does is:
>before uploading file, first hash it
>compare database to determine whether there is a file already there with the same hash and filesize
>if there is, let the user upload it, decrypt the existing file, confirm match
>if they match, discard the uploaded file, add the existing file to the user's personal folder, along with the existing key
The additional step of encryption is just an argument against checking all of their files for illegal content. They can decrypt any file they want to, but it's infeasible to do to all of their files.
ok genius, how the FUCK are they supposed to delete some of the old data if it's encrypted then? The other person wouldn't be able to fucking decrypt it you hoodlum. Unless if that one key could decrypt both files, in which case your super secret special key isn't going to be good because other keys can decrypt it anyways.
It's called hashing it jackss.
It might do an md5 hash on something you uploaded, and then reject/delete something with the same md5 hash. Nothing wrong with that. Even if it's encrypted they can do that.
It's not something they're intentionally doing. The information they're using is an INTRINSIC PART OF A FILE UPLOAD HEADER EVERYWHERE ON THE INTERNET.
They're just deciding to put it to use.
If they terminated this feature, they would still receive the hash/checksum because you cannot send files without it.
>Even if it's encrypted they can do that.
>>Checksum is transmitted
>>File is encrypted
>now supposedly only your key can decrypt the encrypted file because that's how cryptography works
>oh fuck, someone tries to upload the same file
>points to your "useless" encrypted data because the checksums are the same
>can somehow decrypt it anyways
Encryption does now work how you seem to think it does.
There's no decryption. File A has a hash/checksum of S145, and this is universally unique. It is encrypted and never decrypted. Another file is uploaded with the checksum of S145. Without even decrypting the other file, you know they're the same file.
Why the fuck would deleting the new file with the same checksum be an option then? You'd only be able to delete the duplicates if both keys could, somehow, decrypt the same encrypted file.
Let me spell this out for you, because you're clearly a moron:
1. File is uploaded to MEGA, unencrypted. People do not upload already-encrypted files. This is a service MEGA provides.
2. In the file transfer header, among other data, a hash/checksum is offered. MEGA accepts it and names the file with this key.
3. File is encrypted.
4. Although the file is now encrypted, and never decrypted, it has a unique identifier as a filename that can be used to pair it with other files.
He's saying Mega claims your files on the server are encrypted with your own private key.
If that's true then it should be impossible for them to deduplicate data because even if they did hash before the data is encrypted only one person who uploaded that file should be able to decrypt it because the data should be encrypted with a key that even mega claims they don't know.
Because the encrypted file's filename or meta data contains the hash, and MEGA searches for any files with a similar hash of a pending upload.
You can delete encrypted files without decrypting them.
Yes it is. No matter what website your on, this is a subset of the data that is transmitted prior to file uploads. It's fundamental to the Internet.
It's encrypted client-side AFTER upload. They HAVE to have already received the file for them to encrypt it in any way.
Please use your brain for a moment and think about this. How can they be encrypted before the hit the servers, without them having access to them, i.e., by them being uploaded?
You're not understanding what they're describing, namely, client-side encryption.
You idiots, I posted the solution to this already. It isn't encrypted just a single time. It's encrypted one time using a hash of a file as the key. So all uploaders create a duplicate encrypted file that looks the same. with a very unique key as the key is the fucking hash of the original file. This means every fucking file has it's own unique key, except duplicates.
Now you can use the hash of this encrypted file to recognize duplicates, while no one knows what it is except the uploaders.
Now encrypt that key another time with the personal key of the user. And every user that uploads the file, can access the file. And nobody else.
>Please use your brain for a moment and think about this. How can they be encrypted before the hit the servers, without them having access to them, i.e., by them being uploaded?
Except this service only applies to your files. They're not deleting other people's files because you uploaded a duplicate you absolute mongoloid. They're deleting YOUR duplicates to save space.
Tcp does Checksumming on packets. Http works on top of tcp, but the tcp checksum does not correspond at all with the file checksum. You need to be more clear about exactly where this checksum appears.
that doesn't count as encryption. there's no secret in the key. It's just obfuscated.
The content owners of pirated stuff for example could easily check for the presence of their stuff on the site and then force them to give out the uploader's info
A lot of people are saying "They can hash it before encrypting and uploading which makes it okay", but that also does not work.
Since the keys are supposed to be per user, even if it knows I upload the same data as Bob, Bob's data must be encrypted with his key (which I do not know) so I can't download his data and use it.
Sure, that works and lets them only store one copy of data, but it also means only the original uploader can access it ever...
If I can download bob's data because my pre-encrypt hash matches his pre-encrypt hash that means Bob's encryption must have been compromised somehow, else I couldn't access it without his key.
This is fucked if they do it. There's absolutely no way to securely dedupe. Zero.
It's in the OP you fucking mouthbreather.
Pick one link and quote the relevant portion, if you can.
Hint: You can't. MEGA doesn't delete person Y's movie just because you uploaded the same movie. That would prevent them from being able to access it themselves.
Ergo, it doesn't happen and you're wrong.
What you said does not work nor make any sense.
If it's encrypted with the user's key after the hash (not encryption), it's still not accessible to everyone. That doesn't work. Nice try.
If it does work, then it's even worse because it means the per-user keys are not strong encryption and are shared. gg.
I'll entertain you even though you don't understand the issue at all. If there are 20 different qualities of the same movie, who decides which file should be the right one that is kept?
>MEGA doesn't delete person Y's movie just because you uploaded the same movie
Right here retard, "Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data."
They'd have to know what you're uploading and what is already on their server.
It's in the fucking mega ToU so you can't fucking say they don't do it.
Moot point, there is no programmatic way to determine image / movie duplicate when not completely identical (read, different quality).
For example, creating an image with 10 pixels different (e.g. take picture of president, make his eyes read to indicate evil) could have significantly different meaning. Alternately, 10 pixels different could be simple compression (eyes slightly blurred, thanks diff jpg compression algo)... You absolutely cannot differentiate minor human changes with compression / quality changes
It's unreasonable for a human to review all files nor can they due to encryption.
Quality must have a human component and this discussion concerns only exact duplicates and automated backend stuff. In other words, fuck off.
If you want your feature, you need users to tag files with what they are and their quality.
Mega said it didn't do that. Mega said it was zero-knowledge encryption (at first). Maybe it's fucked now.
If another user can get your key to decrypt, so can mega. They said they can't ever see your data there. Contradiction, aha, etc etc.
>what is reading
>>Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service
>Our service may automatically delete a piece of data you upload
>where it determines that that data is an exact duplicate of original data already on our service
>already on our service
On the service, as in anywhere in the mega servers.
It would be fucking useless if all it did was keep duplicates off of your data.
If you want actual security, it makes more sense to encrypt the files yourself.
The way I see it, the encryption is probably implemented in such a way that it's unlikely that the government can get their hands on both the keys and the data. Intrusion of one system will trigger a dead man's switch on the other. I'm not sure, just speculating at this point.
>it determines that that data is an EXACT duplicate of original data
btw, if you this bothers you that it's provable that the file you uploaded is the same as the file someone else uploaded, you can just change a single byte (or if that's not feasible encrypt with almost any weak-ass encrpytion and a random key), and noone can ever know what you uploaded
The guy was talking about deduping different qualities of the same file. I was explaining how that doesn't even remotely begin to work (I.e. Not understanding the issue at all), and thus entertaining him with even how unfeasible that is on a theoretical sense.
it most likely save them a ton of money, and most people don't need unique encryption. those who need are responsible to make the file unique themselves. i don't think it's wrong, it saves global storage which is better for everyone
Wait, were people actually trusting that fatfuck "Dotcom" about anything encryption related?
Don't get me wrong, Mega is one of the better file hosts, but I would never put anything sensitive on there without having encrypted it myself.
>If there are 20 different qualities of the same movie, who decides which file should be the right one that is kept?
this can easily be done with repository style management. for example, that new music device that was on kickstarter only hosts the best versions of hit songs. they determine this by doing a bit of research with the community to determine which is the lossless file right out of the studio. same can be done with video or anything else.
They will not ban you. MEGA is particularly awesome because you can essentially use infinite accounts to have infinite amounts of storage for free. Max out one account but put all your data in one folder and not right at the root and then create a new one. With your new account share that root folder you created with everything in it. You can keep doing this and build up accounts with your previous ones sharing with the current one. You can access all your previous data from other accounts and keep adding more. I have done this with an obscene amount of data for over a year and have not been banned.
Not him, but I think that's unlikely. Their brand really revolves around their reputation, cracking down like that would damage them far more than a minority of individuals taking the piss with storage.
The official Windows client is quite good. It's very low on resources and does what it is asked to do. There is no official Linux client yet though they recently released the second version of their SDK so there's probably some sort of third party tool available. I've been wanting to write one lately as well so who knows.
The encryption is hash-based, presumably. Each file is encrypted based upon the contents of the file before it was encrypted. Each copy of the file is encrypted the same way, and has the same resultant encrypted file.
If it detects that two encrypted files use the same hash, it will deduplicate them. The decryption key isn't knowable, but, will be the same for both versions of the file.
>If it detects that two encrypted files use the same hash, it will deduplicate them.
Was rather unwieldy, it should have been more like:
>Both encrypted copies of a duplicate file would have the exact same /encrypted/ hash, and could be deduplicated by simply linking the copies and deleting the extra.