This repository has been archived by the owner on Jul 4, 2022. It is now read-only.
forked from meganz/webclient
-
Notifications
You must be signed in to change notification settings - Fork 0
/
blog.xml
executable file
·335 lines (334 loc) · 132 KB
/
blog.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" version="2.0">
<channel>
<title>MEGA Blog</title>
<atom:link href="https://mega.co.nz/blog.xml" rel="self" type="application/rss+xml"/>
<link>https://mega.co.nz/#blog</link>
<description>News and updates about MEGA</description>
<lastBuildDate>Wed, 28 Jan 2015 01:55:35 -0300</lastBuildDate>
<language>en-NZ</language>
<sy:updatePeriod>hourly</sy:updatePeriod>
<sy:updateFrequency>1</sy:updateFrequency>
<generator>https://mega.co.nz/</generator>
<item>
<title><![CDATA[MEGAchat: Technical Security Primer]]></title>
<link>https://mega.co.nz/#blog_32</link>
<pubDate>Tue, 27 Jan 2015 18:35:05 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_32</guid>
<description><![CDATA[All content transferred via the MEGA platform is end-to-end encrypted. This means that the end user is the only one who can encrypt or decrypt the content. It is virtually impossible for MEGA or any network snooper to gain insight of encrypted user stored or transferred content. ]]></description>
<content:encoded><![CDATA[<p class="small-pad-paragraph">All content transferred via the MEGA platform is end-to-end encrypted. This means that the end user is the only one who can encrypt or decrypt the content. It is virtually impossible for MEGA or any network snooper to gain insight of encrypted user stored or transferred content. MEGA users will never have to trust any network providers, or even MEGA as a cloud service provider, to not compromise their privacy. Obviously, this only works if the user can actually trust the cryptographic design as well as the code implementing it.</p><p class="small-pad-paragraph">The most important way to gain this trust is to release the source to our code, so that anybody can review it and see that we are doing the important technical things that we say we are. We have already released the source code to the MEGA SDK and offer a bug bounty so if there are architecture issues or implementation bugs we can be alerted and can fix them immediately. The MEGA web client source code is also available by using the browser's development tools.</p><p class="small-pad-paragraph">We can also help build this trust by being open and transparent about the technologies and approaches MEGA is using, which is the primary purpose behind this blog post.</p><p class="small-pad-paragraph">Let's begin by having a look at the cryptographic design for MEGA. To start with the basics, every user has two key pairs for public key cryptography, a 2048 bit RSA key pair for encryption and an Ed25519 key pair for signing. Public-key cryptography is a class of cryptographic algorithms which requires two separate (but related) keys, one of which is private and one of which is public. Operations with one key (e.g. encryption with public key, signing with private key) are complemented with operations of the other (e.g. decryption with private key, signature verification with the public key). The private keys are stored in the MEGA cloud, protected (encrypted) with the user's master key, which itself is stored with MEGA after being protected through encryption with a key derived from the user's password. Because MEGA only ever knows the public keys, all encryption is controlled by the user, and we recommend a very strong password.</p><p class="small-pad-paragraph">The RSA public key is signed with the Ed25519 key, so users can verify the RSA key's authenticity. The Ed25519 public key is used to derive a fingerprint (160 bit slice of SHA-256 hash), which is also shown on the user interface as "authenticity credentials" to be verified between users. If not verified, the MEGA client still tracks seen fingerprints of all Ed25519 and RSA public keys to alert the user on unexpected changes, e.g. by impostors or snoopers.</p><p class="small-pad-paragraph">Our latest product, MEGAchat, allows users to make end-to-end encrypted audio and video calls. The audio/video chat itself is using a new browser-based technology called <a href="http://www.webrtc.org/" target="_blank">WebRTC</a>, which establishes, where possible, a direct connection between the two peers (peer-to-peer). In some cases (e. g. if somebody is behind a firewall or "shielded" through <a href="https://en.wikipedia.org/wiki/Network_address_translation" target="_blank">NAT</a>), the help of a <a href="https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT" target="_blank">TURN/STUN</a> server is involved to facilitate the connection. To set up the environment for WebRTC connections, an <a href="http://xmpp.org/" target="_blank">XMPP</a> infrastructure is used for presence notifications and connection establishment ("signalling" through <a href="https://en.wikipedia.org/wiki/Jingle_%28protocol%29" target="_blank">XMPP/Jingle</a>). This "signalling" then hands over further interactions to the WebRTC end-points living in the two connected browsers.</p><p class="small-pad-paragraph">All connections of the client to the server via XMPP are running through an HTTPS connection. No voice/video communication is routed through XMPP, only the initial call setup. This includes a three-way hand-shake between the two parties, exchanging the RSA encrypted fingerprints of the WebRTC container's internal certificates, thus effectively avoiding any man-in-the-middle attacks on the WebRTC connection. The WebRTC containers themselves then establish all further session parameters (including encryption) by using the standardised and mandatory <a href="https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security" target="_blank">DTLS</a> and <a href="https://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol" target="_blank">SRTP</a> protocols. SRTP uses AES-128 encryption in a stream cipher mode for all content.</p><p class="small-pad-paragraph">If everything is done properly, and none of the users' systems are compromised, all data on the established chat connection will be fully confidential. So, the implementation itself must be trustworthy and the consistent delivery of the code must be ensured. All JavaScript code running in the browser is unobfuscated and very easy to inspect for any experienced and technically minded person in this field. The implementation can be reviewed and audited. To avoid any alterations of the served code, initially a secureboot.js file is served to the client. When this file executes, it dynamically retrieves all further JavaScript code and resources into the client, while checking the hash values of all retrieved files. The correct hash values are loaded into secureboot.js at site deployment time. For this reason, we are taking extreme care that secureboot.js is only served from a particularly strongly protected web server, whereas all other code is loaded through a content delivery network (CDN). Updated browser extensions for MEGAchat will be released after the beta, which will further improve security.</p><p class="small-pad-paragraph">So, what is the outlook for MEGAchat in the future and what are the security assurances to be expected? Well, so far only audio/video calls via WebRTC are possible. We are not satisfied with that as there is a definite need for text-based communication. In the next release, MEGAchat will be extended to include a text chat feature. Covering the case of privacy with more than two end points is not easy, which is the reason we are still working on it: to get it right! At the launch of the text chat feature, MEGA is planning on publishing one or more white papers, outlining the precise key agreement algorithms with all their properties, thus allowing a proper review of the security properties.</p><p class="small-pad-paragraph">Note: If you are a security researcher, we may be interested in sharing this material already with you before the release. Please contact MEGA at <a href="http://mailto:[email protected]" target="_blank">[email protected]</a>.</p><p class="small-pad-paragraph">Users are expecting to be able to use MEGAchat not just with their browsers, but also with one or more mobile or native applications (and see the same view on the conversation from all devices) and we are working hard on native desktop and mobile applications.</p><p class="small-pad-paragraph">Just as the other MEGA mobile and desktop applications are based on the publicly available <a href="https://github.com/meganz/sdk" target="_blank">MEGA SDK</a> (C++), in the future there will be a companion MEGAchat SDK (C++) to enable third party development.</p><p class="small-pad-paragraph">We hope that this article helps to increase the understanding behind MEGA's open encryption protocols. MEGA is working hard to ensure we stand up to our company motto "The Privacy Company".</p><div><br></div>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGA 2.0 beta for Android and SDK update]]></title>
<link>https://mega.co.nz/#blog_31</link>
<pubDate>Tue, 23 Dec 2014 01:38:51 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_31</guid>
<description><![CDATA[Launched 18 months ago, our Android app has put encrypted cloud storage into the hands of millions of security-conscious users. Thank you for your loyalty and your constructive feedback! Version 2 of our app has been built to incorporate]]></description>
<content:encoded><![CDATA[<p class="small-pad-paragraph"><b>Season's Greetings from the MEGA Team!</b></p><p class="small-pad-paragraph">Launched 18 months ago, our Android app has put encrypted cloud storage into the hands of millions of security-conscious users. Thank you for your loyalty and your constructive feedback!</p><p class="small-pad-paragraph">Version 2 of our app has been built to incorporate as many of your wishes, suggestions and requests as technically feasible, and we believe that it is now time for you to weigh in on how well we did. We invite you to install and test the first public beta (dubbed the 'Xmas edition') from <a href="https://play.google.com/store/apps/details?id=nz.mega.android" target="_new">Google Play</a>, and we are looking forward to your comments and bug reports.</p><p class="small-pad-paragraph">Key improvements include:</p><ul class="ul-small-pad"><li>Handles large accounts and folders with ease</li><li>Improved user interface</li><li>Access folders that others shared with you</li><li>Share your own folders with others</li><li>Improved photo and video uploads</li><li>Embedded image gallery</li><li>Audio and video streaming</li><li>Transfer manager (pause/restart)</li><li>Open exported file and folder links</li></ul><p class="small-pad-paragraph">All of our apps and client tools are powered by the same set of core C++ classes, which we are maintaining on GitHub. We have now opened our <a href="https://github.com/meganz/sdk" target="new">live repository</a> to the public, enabling interested developers to fork and contribute to the project and to build their own apps.</p><p class="small-pad-paragraph">Recent enhancements include:</p><ul class="ul-small-pad"><li>posix/curl: Added explicit c-ares support, eliminating the dependency on libcurl's rarely used --enable-ares</li><li>an intermediate layer to facilitate the use of the SDK core in multi-threaded programs, bindings for higher-level programming languages and platform integration. We presently provide bindings and example mobile apps for Android (Java), iOS and Windows Phone. We are keen to implement new bindings for other languages such as Python and PHP, and we welcome community involvement.</li><li>file attribute streaming</li><li>significantly reduced memory footprint</li><li>major fixes and enhancements in the synchronisation subsystem</li></ul><b>Enjoy!</b>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGA unblocked in Italy / MEGA accessibile in Italia]]></title>
<link>https://mega.co.nz/#blog_30</link>
<pubDate>Thu, 25 Sep 2014 00:49:22 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_30</guid>
<description><![CDATA[We're pleased to announce that MEGA was unblocked in Italy on September 15. On July 31, the Italian authorities blocked MEGA on request of a film distributor who claimed copyright for two films that had been uploaded to MEGA by third parties]]></description>
<content:encoded><![CDATA[<p class="small-pad-paragraph">We're pleased to announce that MEGA was unblocked in Italy on September 15.</p><p class="small-pad-paragraph">On July 31, the Italian authorities blocked MEGA on request of a film distributor who claimed copyright for two films that had been uploaded to MEGA by third parties. What the rightsholder should have done is sent MEGA a <a href="#takedown">takedown</a> notice consistent with MEGA's <a href="#terms">Terms of Service</a>.</p><p class="small-pad-paragraph">After MEGA appealed, the Italian authorities removed MEGA from the court process, approved restoration of access to MEGA and advised all Internet service providers to release any DNS block.</p><p class="small-pad-paragraph">Some ISPs may not have processed that request yet. If that is the case for you, please contact your Internet provider directly and <a href="mailto:[email protected]">let us know</a> which Internet provider you're using so that we can investigate from our side.</p><p class="small-pad-paragraph"><b><i>Italian Translation / Traduzione italiana</i></b></p><p class="small-pad-paragraph">Siamo lieti di annunciare che MEGA è stato sbloccato in Italia il 15 settembre.</p><p class="small-pad-paragraph">Il 31 luglio, le autorità italiane hanno bloccato MEGA in base alla richiesta di un distributore detentore del copyright di due film caricati da terze parti su MEGA. In questi casi il titolare del copyright avrebbe dovuto contattare direttamente MEGA con una <a href="#takedown">richiesta di rimozione</a> in base ai <a href="#terms">termini di servizio</a> di MEGA.</p><p class="small-pad-paragraph">Dopo che MEGA ha presentato ricorso, le autorità italiane hanno rimosso MEGA dagli imputati e hanno approvato lo sblocco della connessione ai server DNS.</p><p class="small-pad-paragraph">Qualche fornitore di servizi internet non ha ancora processato la richiesta. In questi casi contattate direttamente il vostro fornitore e <a href="mailto:[email protected]">scriveteci</a> farci investigare.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGAsync for Linux]]></title>
<link>https://mega.co.nz/#blog_29</link>
<pubDate>Fri, 05 Sep 2014 20:58:56 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_29</guid>
<description><![CDATA[We are pleased to announce the immediate availability of our desktop cloud synchronisation solution for Linux. </br>MEGAsync for Linux offers the same functionality as its already highly popular siblings for Windows and OS X]]></description>
<content:encoded><![CDATA[<p class="small-pad-paragraph">We are pleased to announce the immediate availability of our desktop cloud synchronisation solution for Linux.</p><p class="small-pad-paragraph"><a href="#sync!linux">MEGAsync for Linux</a> offers the same functionality as its already highly popular siblings for Windows and OS X, finally enabling the Linux community to take full advantage of MEGA's powerful end-to-end encrypted cloud storage platform.</p><p class="small-pad-paragraph">All major distributions (Debian, Fedora, openSUSE and Ubuntu) are supported on x86 and amd64. Others, such as Arch Linux, are reported to be compatible.</p><p class="small-pad-paragraph"><a href="#sync!linux">MEGAsync for Linux</a> comes with optional integration into the Nautilus file manager. Additionally, we aim to support more distributions and CPU architectures and develop extensions for alternative file managers.</p><p class="small-pad-paragraph">MEGA currently provides a multi-platform <a href="https://github.com/meganz/sdk2" target="_new">software development kit</a>, and we have plans to release the source code to MEGAsync under an open-source license.</p><p class="small-pad-paragraph">If you have any comments, suggestions, complaints or bug reports, please contact our Linux specialists at <a href="mailto:[email protected]">[email protected]</a>.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Mega Limited announces new technology appointments]]></title>
<link>https://mega.co.nz/#blog_28</link>
<pubDate>Wed, 06 Aug 2014 22:15:45 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_28</guid>
<description><![CDATA[The CEO of Mega, Graham Gaylard, today announced two senior technology appointments to join the Mega team. Dr Stuart Inglis BCMS (hons), PGDMS, Ph.D. has been appointed Chief Technology Officer commencing immediately]]></description>
<content:encoded><![CDATA[<p class="small-pad-paragraph">The CEO of Mega Limited, Graham Gaylard, today announced two senior technology appointments to join the MEGA team.</p><p class="small-pad-paragraph">Dr Stuart Inglis BCMS (hons), PGDMS, PhD has been appointed Chief Technology Officer commencing immediately, replacing Mathias Ortmann, who will take on the Chief Systems Architect role within the company.</p><p class="small-pad-paragraph">Stuart is a professional computer scientist with over 30 years programming experience and a passion for software innovation. He has a blend of technical excellence and software project management experience, with a background in algorithm design, intellectual property creation, high performance computing and low-level optimisation. He has expertise in software engineering, high reliability hosting, data analysis and complex solution development.</p><p class="small-pad-paragraph">His first commercial experience was the NZ director and R&D software developer at New York-based Webmind, followed by founding the San Francisco data analysis company Reel Two, Inc. in 2001. The NZ subsidiary of Reel Two was sold to NetValue in 2007, where Stuart became a shareholder and director.</p><p class="small-pad-paragraph">He joins MEGA from his previous role as the CTO of NetValue, which saw him lead the technical development of large projects and high-tech spin off companies including Real Time Genomics and SureChem. NetValue's subsidiary company, Interspeed, is a leader in high-reliability hosting.</p><p class="small-pad-paragraph">The second appointment is Mark van Walraven MSc, who has been appointed Senior Systems Administrator, a new role that has been created to oversee MEGA's global technical expansion. Mark has an extensive background in systems management and has been associated with Mr Gaylard's businesses for twenty years.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Mega Limited announces new CEO to lead the company in its new growth phase]]></title>
<link>https://mega.co.nz/#blog_27</link>
<pubDate>Sun, 03 Aug 2014 23:00:49 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_27</guid>
<description><![CDATA[The directors of Mega Ltd, the end-to-end encrypted cloud storage company, have announced the appointment of Graham Gaylard as CEO to lead the company through its next global growth phase]]></description>
<content:encoded><![CDATA[<p class="small-pad-paragraph">The directors of Mega Ltd, the end-to-end encrypted cloud storage company, have announced the appointment of Graham Gaylard as CEO to lead the company through its next global growth phase.</p><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/blog_image_08_14.png" class="blog-left-image"><p class="blog-p-left-pad">Mr Gaylard is a senior technology CEO with considerable experience in new ventures and start-ups. His entrepreneurial initiatives date back to 1995 when he established Wave Internet, which was sold five years later. Since then he has assisted with a number of technology start-ups, accessing venture capital both in New Zealand and in Silicon Valley.<br><br> Mr Gaylard is an award-winning Computer Science and MBA graduate from Waikato University, and has been based in Hamilton for over 20 years running technology businesses.</p><p class="small-pad-paragraph">He established web applications and hosting company NetValue in Hamilton in 2003, which now employs 45 people. Mr Gaylard is also currently a Director of Real Time Genomics and the Chair of Soda Inc. His new role sees him based at Mega's Auckland offices at the BDO Tower, 120 Albert St, Auckland.</p><p class="small-pad-paragraph">Mr Gaylard said he was looking forward to the challenge of leading Mega through an exciting new growth period, which would be focused on secure online communication and collaboration.</p><p class="small-pad-paragraph">"Our unique end-to-end-encrypted services provide businesses and consumers with secure cloud storage and communication capability at highly competitive rates," he said.</p><p class="small-pad-paragraph">"Our business model is based on providing free storage of up to 50 GB, with a premium service for greater storage on a monthly, recurring revenue basis."</p><p class="small-pad-paragraph">"This capability provides businesses and consumers with real-time collaborative access to secure data regardless of where in the world they are located," Mr Gaylard said.</p><p class="small-pad-paragraph">Mega Directors also announced that former Acting CEO, Stephen Hall, would remain in the business to focus on the anticipated listing and merger with TRS.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Lost passwords in the crypto age]]></title>
<link>https://mega.co.nz/#blog_26</link>
<pubDate>Sat, 26 Apr 2014 04:49:54 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_26</guid>
<description><![CDATA[The advent of end-to-end encryption has created a new type of human drama: The "I can't remember the password of my cloud account, and their customer support insists that they cannot help me" disaster]]></description>
<content:encoded><![CDATA[<p>The advent of end-to-end encryption has created a new type of human drama: The "I can't remember the password of my cloud account, and their customer support insists that they cannot help me" disaster. While we cannot assist with after-the-fact password recovery, we now provide a safety net for the <i>proactive</i> forgetful:</p><p class="small-pad-paragraph"><span class="blog-new-number">1</span><span class="blog-new-num-txt"><a href="#backup">Export</a> your master crypto key</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">2</span><span class="blog-new-num-txt">Store it in a safe place</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">3</span><span class="blog-new-num-txt">Forget your password</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">4</span><span class="blog-new-num-txt"><a href="#recovery">Request</a> a password reset link by e-mail</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">5</span><span class="blog-new-num-txt">Set a new password after providing the exported master key</span><span class="clear"></span></p><p>If you are a not-so-proactive forgetful, there is now a workflow that permits the re-use of your primary e-mail address for a fresh and empty MEGA account with optional retroactive recovery:</p><p class="small-pad-paragraph"><span class="blog-new-number">1</span><span class="blog-new-num-txt">Forget your password</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">2</span><span class="blog-new-num-txt"><a href="#recovery">Request</a> a password reset link by e-mail</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">3</span><span class="blog-new-num-txt">Park your existing account and create a new one</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">4</span><span class="blog-new-num-txt">Remember your old password within 60 days</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">5</span><span class="blog-new-num-txt">Contact the friendly MEGA support team at <a href="mailto:[email protected]">[email protected]</a> and ask them to restore the parked account</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">6</span><span class="blog-new-num-txt">Log into the restored account</span><span class="clear"></span></p><p>In other news, we have upgraded our infrastructure (your data now fills 8,000 hard drives), our web file manager (with vastly improved file transfer efficiency), MEGAsync for Windows (with the MacOS X and Linux versions coming out shortly) and our mobile apps (major upgrades to the iOS and Android apps are on the way!).</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGA announces plans to be listed on the New Zealand Stock Exchange]]></title>
<link>https://mega.co.nz/#blog_25</link>
<pubDate>Mon, 24 Mar 2014 14:34:41 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_25</guid>
<description><![CDATA[Shareholders of Mega Limited ("Mega") have entered into a conditional agreement to acquire NZSX listed company TRS Investments Limited ("TRS") in a reverse takeover transaction]]></description>
<content:encoded><![CDATA[<p>Auckland, New Zealand - 25 March 2014: Shareholders of Mega Limited ("Mega") have entered into a conditional agreement to acquire NZSX listed company TRS Investments Limited ("TRS") in a reverse takeover transaction.</p><p class="strong-paragraph">Principal terms of the transaction</p><p>TRS (<a href="https://www.nzx.com/markets/NZSX/securities/TRS" target="_blank">NZSX:TRS</a>) will undertake a 148 to 1 consolidation of its existing share capital and will then issue 700,000,000 new shares in TRS to the existing shareholders of Mega at an issue price of 30 cents per share. Following completion of the transaction, the existing shareholders of Mega will hold approximately 99% of the shares on issue in TRS.<br><br>TRS will change its name to Mega.<br><br>Further particulars about the proposed consolidation will be provided to the market in due course.<br><br>The acquisition is principally conditional upon TRS obtaining all shareholder approvals and such other consents and approvals that may be required to undertake the transaction, and the arrangements collateral to the transaction, including but not limited to those approvals required in accordance with the Companies Act, the Takeovers Code, NZSX Listing Rules and the Securities Act, on or before 30 May 2014.<br><br>TRS will circulate a Notice of Special Meeting and collateral documentation for a meeting of Shareholders to approve the transaction.<br><br>Stephen Hall, Chief Executive of Mega, said "The rapid global growth of Mega has generated significant interest from potential investors. Listing on the New Zealand Stock Exchange will allow investors to participate in the ongoing growth of Mega".</p><p class="strong-paragraph">About Mega</p><p>Mega is a global technology business headquartered in Auckland that delivers encrypted, cloud based services that enable private, secure online communication and collaboration for businesses and individuals.<br><br>Mega's browser-based User Controlled Encryption (UCE) is unique in providing automatic encryption for all data transferred to and stored on Mega's cloud service. UCE means that only the user controls the encryption key. This provides a level of privacy and security that is unique, and allows Mega to position itself as "<a href="#privacycompany">The Privacy Company</a>".<br><br>The Mega service was launched on 20th January 2013. Mega currently has around 7 million registered users, with new user registrations exceeding 20,000 per day. Users have stored nearly one billion encrypted files in the Mega cloud and are currently uploading up to 11 million files per day.<br><br>Mega expects to release encrypted instant messaging and encrypted chat and video conferencing in the second quarter of 2014. Development of an encrypted email service is planned.</p><p class="strong-paragraph">Media enquiries:</p><p>Stephen Hall - Chief Executive<br><a href="mailto:[email protected]">[email protected]</a><br>Mobile: +64 21 715725</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGA turns 1]]></title>
<link>https://mega.co.nz/#blog_24</link>
<pubDate>Sun, 19 Jan 2014 09:39:13 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_24</guid>
<description><![CDATA[When we launched MEGA a year ago, global mass surveillance by rogue governments under the pretext of fighting terrorism was still a wild conjecture]]></description>
<content:encoded><![CDATA[<p>When we launched MEGA a year ago, global mass surveillance by rogue governments under the pretext of fighting terrorism was still a wild conjecture and its proponents were often touted as conspiracy theorists. Edward Snowden's revelations 137 days later fundamentally changed public attitudes and it became excruciatingly clear that <i>security by policy</i> ("we have access to your data, but we promise to keep it confidential and not misuse it") had not been good enough. Anything short of <i>security by design</i> ("we cannot gain access to your data without you being able to find out"), for which strong end-to-end encryption is an essential prerequisite, now seems grossly insufficient.</p><p>MEGA was architected around the simple fact that cryptography, for it to be accepted and used, must not interfere with usability. MEGA is fully accessible without prior software installs and remains the only cloud storage provider with browser-based high-performance end-to-end encryption. The only visible signs of the crypto layer operating under MEGA's hood are the entropy collection during signup, the lack of a password reset feature and the novel (and browser-specific) ways file transfers are conducted. Today, millions of business and personal users rely on MEGA to securely and reliably store and serve petabytes of data and we believe that this success is the result of MEGA's low barrier to entry to a more secure cloud.</p><p>Since we opened MEGA to the public, we have added many of the initially missing bits and pieces: we have launched mobile apps for <a href="#mobile">Android and iOS</a> and a <a href="#sync">Windows sync client</a>. Yet, our cloud storage product is still incomplete — tablet support, BlackBerry and Windows Phone apps and sync clients for MacOS and Linux are on their way, along with much more complete and accessible <a href="#sdk">SDK</a>.</p><p>We would like to thank all users who put up with the teething issues during our beta phase, the critics who sparked healthy and often entertaining controversy around our design decisions and the security researchers who successfully participated in our bug bounty program.</p><p>This year, MEGA will evolve beyond mere cloud storage and become a feature-complete online collaboration and communication platform, all with no-compromise end-to-end encryption.</p><p>It has been an extremely busy year for us, and we're looking forward to the next twelve months of providing a feature-rich secure cloud!</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGA releases iOS app]]></title>
<link>https://mega.co.nz/#blog_23</link>
<pubDate>Tue, 26 Nov 2013 20:50:32 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_23</guid>
<description><![CDATA[Our official iOS app is now available free of charge from the App Store.]]></description>
<content:encoded><![CDATA[<p>Our official iOS app is now available free of charge from the <a href="https://itunes.apple.com/app/mega/id706857885" target="_blank">App Store</a>.</p><p>Features:</p><ul class="ul-small-pad"><li>Browse and manage your MEGA cloud storage account</li><li>Fast file transfers</li><li>Preview and stream supported document and file formats</li><li>Export and send file and folder links</li><li>Import file links into your account</li></ul><p>Coming soon:</p><ul class="ul-small-pad"><li>Photo sync</li><li>iPad support</li></ul>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGA exits beta]]></title>
<link>https://mega.co.nz/#blog_22</link>
<pubDate>Wed, 06 Nov 2013 09:42:18 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_22</guid>
<description><![CDATA[Nine months after our launch, MEGA is born again with significant optimizations and improvements and a fresh look. This is a summary of what's new]]></description>
<content:encoded><![CDATA[<p>Nine months after our launch, MEGA is born again with significant optimizations and improvements and a fresh look. This is a summary of what's new.</p><p class="strong-paragraph new-blog-icon faster-loading-icon">Faster loading</p><p class="small-pad-paragraph">We have cut down on code size and implemented dynamic feature fetching.</p><p class="strong-paragraph new-blog-icon new-user-interface">New user interface</p><p class="small-pad-paragraph">We have refreshed MEGA's look & feel. We have dramatically reduced CPU overhead, resulting in a snappier user experience - especially if you have a lot of files and large folders.</p><a href="https://eu.static.mega.co.nz/images/mega/blogs/fullsize/FM_page.png" target="_blank" class="blog-new-full-img middle-blog-img"><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/retina/FM_page.png"></a><a href="https://eu.static.mega.co.nz/images/mega/blogs/fullsize/contacts_page.png" target="_blank" class="blog-new-full-img middle-blog-img"><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/retina/contacts_page.png"></a><p class="strong-paragraph new-blog-icon local-caching-icon">Local caching</p><p class="small-pad-paragraph">MEGA will cache your session in your browser, speeding up subsequent logins - only changes that have occurred since the session ended need to be loaded from the server.</p><p class="strong-paragraph new-blog-icon user-avatars-icon">User avatars</p><p class="small-pad-paragraph">You can now set up your own profile image that will appear in your friends' contact lists in real time. Simply drag and drop your picture onto your account page, then scale and crop it.</p><p class="strong-paragraph new-blog-icon contact-management-icon">Improved contact management</p><p class="small-pad-paragraph">You can now see the number of files a user is sharing with you, along with the last modified date/time. This is useful for tracking changes (in addition to the instant notifications).</p><p class="strong-paragraph new-blog-icon new-tree-panel-icon">New tree panel navigation </p><p class="small-pad-paragraph">You can now easily switch between your contacts (shared folders), your cloud drive, your rubbish bin and your inbox by using the four colour-coded buttons at the top, allowing you to navigate conveniently between these sections. You can, for example, drop a file into a contact's inbox by dragging it over the contacts icon which will automatically scroll to your contact list.</p><p class="strong-paragraph new-blog-icon improved-transfers-icon">Improved file transfers</p><p class="small-pad-paragraph">Navigating the site while file transfers are in progress is now supported. Your transfer queue will shrink to a small transfer widget in the lower left corner whenever you leave the file manager.</p><p class="strong-paragraph new-blog-icon firefox-extension-icon">Firefox extension</p><p class="small-pad-paragraph">This extension will reduce loading times, improve download performance and strengthen security. Downloaded data is written directly to your hard drive instead of buffering it in the browser. It also allows you to download entire folder structures. Updates to the app are cryptographically signed - by us, not by an entity that falls under the jurisdiction of National Security Letters.</p><h2 class="not-float">Expected later this month:</h2><p class="strong-paragraph new-blog-icon new-ios-icon">iOS app</p><a href="https://eu.static.mega.co.nz/images/mega/blogs/fullsize/iOS_1_page.png" target="_blank" class="blog-new-full-img list-blog-img"><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/retina/iOS_1_page.png"></a><p class="strong-paragraph new-blog-icon new-sync-icon">Sync client</p><a href="https://eu.static.mega.co.nz/images/mega/blogs/fullsize/sync_page.png" target="_blank" class="blog-new-full-img list-blog-img"><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/retina/sync_page.png"></a><h2 class="not-float">Expected early 2014:</h2><ul class="small-pad"><li>Encrypted messaging: Exchange messages with any MEGA user. Attach files and folders to your messages. Multiple recipients and rich text formatting are supported.</li></ul><a href="https://eu.static.mega.co.nz/images/mega/blogs/fullsize/messages_page.png" target="_blank" class="blog-new-full-img list-blog-img"><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/retina/messages_page.png"></a><ul class="small-pad"><li>Encrypted chat: Real-time chat with any MEGA user (OTR supported). Exchange files and folders with your peer. Secure audio/video calls are supported.</li></ul><a href="https://eu.static.mega.co.nz/images/mega/blogs/fullsize/video_page.png" target="_blank" class="blog-new-full-img list-blog-img"><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/retina/video_page.png"></a>]]></content:encoded>
</item>
<item>
<title><![CDATA[New Zealand Storage Node now live]]></title>
<link>https://mega.co.nz/#blog_21</link>
<pubDate>Tue, 03 Sep 2013 07:48:00 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_21</guid>
<description><![CDATA[Our New Zealand storage node is now officially open for business. It also serves our Australian, Papua New Guinean, Fijian and New Caledonian customers]]></description>
<content:encoded><![CDATA[<p>Our New Zealand storage node is now officially open for business. It also serves our Australian, Papua New Guinean, Fijian and New Caledonian customers. Please note that even though all transfers of files from or to your own account originate or terminate in New Zealand, API requests still have to travel all the way to Europe and back, and that your metadata continues to be stored there. Also, our geographic data redundancy policy applies, so all data that is stored on our New Zealand cluster will eventually get mirrored to Europe. Bear this in mind if you are from NZ and legally barred from storing sensitive data offshore.</p><p class="strong-paragraph">SDK updated</p><p class="small-pad-paragraph">Based on community feedback, our <a href="/#dev">C++ SDK</a> has evolved significantly. We are now working on broad platform support.</p><p class="strong-paragraph">Security scare</p><p class="small-pad-paragraph">We would like to thank a high-profile member of the MEGA community for highlighting two of the potential security risks associated with using computers in general and JavaScript-based cryptography in particular. All of these issues have been <a href="/#help_security">covered in our FAQ</a> from the start, but we would like to use the opportunity and reiterate them here in case you have missed that:</p><p class="strong-paragraph">1. If you have access to a computer, you can break MEGA (and everything else, too)</p><p class="small-pad-paragraph">This problem is illustrated by a <a href="http://nzkoz.github.io/MegaPWN/" target="_new">MEGA-specific browser bookmarklet</a> that allows the victim to break into his or her own MEGA account. A more generalized approach is outlined in Brian Kaplan's paper <a href="http://cryptome.org/0003/RAMisKey.pdf" target="_new">RAM is Key - Extracting Disk Encryption Keys From Volatile Memory</a>. And, needless to say, if the victim installs remote monitoring software (such as a keylogger/screen grabber) on his machine, the potential security breach becomes pretty much all-encompassing.</p><p class="strong-paragraph">2. JavaScript cryptography is weak, because the code is loaded on the fly</p><p class="small-pad-paragraph">There are two trust issues associated with on-the-fly code loading: How secure is the delivery mechanism? And will the service provider send me trojaned code upon receipt of e.g. a <a href="http://en.wikipedia.org/wiki/National_security_letter" target="_new">National Security Letter</a>?</p><p class="strong-paragraph">2.1 JavaScript delivery</p><p class="small-pad-paragraph">The integrity of our JavaScript code depends on the integrity of all SSL certificate issuers that your browser trusts, plus the ISPs between you and our root server cluster and/or the DNS servers involved. Or, put bluntly, "if you can break SSL, you can break MEGA". Of course, if you can break SSL, there might be more interesting targets for you to break than MEGA...</p><p class="small-pad-paragraph">In addition, we are continuously monitoring our root and API server SSL certificates from a variety of points around the globe. Should any breach be detected, we will immediately shut down MEGA and only resume service once the situation is clarified.</p><p class="strong-paragraph">2.2 Intentional delivery of backdoored JavaScript code by us to specific users</p><p class="small-pad-paragraph">Technically, we could serve you backdoored JavaScript code that sends your master encryption key back to us. But that would be pointless, because any such attempt could easily be detected and would completely ruin our credibility. Some juristictions force service providers to install backdoors, but MEGA will <strong>always</strong> migrate to a jurisdiction that respects your right to privacy instead of putting your data at risk. Major software vendors, e.g. in the United States, could easily be forced by their local government to abuse their update mechanisms to deliver backdoor code to specific targets. We will never provide any government with any backdoors, period.</p><p class="small-pad-paragraph">The fundamental difference between traditional (server-side encrypting) and secure (client-side end-to-end encrypting) cloud storage providers is that the former can intercept all data of all users without the victims having a way of finding out, while the latter have to do something that is detectable on the client side.</p><p class="strong-paragraph">2.3 Solutions</p><p class="small-pad-paragraph">If you are worried about the risks outlined above, you should use MEGA in a way that does not rely on code delivered on the fly.</p><p class="strong-paragraph">2.3.1 Loading MEGA's JavaScript code base from your local machine</p><p class="small-pad-paragraph">We offer a browser extension (currently <a href="/#chrome">available for Chrome</a>, coming soon for Firefox) that holds all of MEGA's code locally. If you install a version that someone you trust has code-audited and turn off automatic updates, we cannot backdoor you even if we wanted to.</p><p class="strong-paragraph">2.3.2 Using a client application</p><p class="small-pad-paragraph">In a similar vein, non-autoupdating client applications that were written or audited by someone you trust are immune against dynamic backdooring.</p><p class="strong-paragraph">3. Untrusted JavaScript loaded from a website is still safer than an untrusted executable loaded from the same website</p><p class="small-pad-paragraph">It is a common misperception that JavaScript is inherently insecure and that native machine code is a much better choice for cryptography. While it is true that full access to the host machine's features allows for some additional degree of security (such as preventing keys from being sent to swap space), malicious JavaScript executing in your browser's sandbox (assuming, of course, that no known browser vulnerabilities exist — an admittedly rather weak assumption) at least cannot take over your entire user account or, if you work as root/Administrator, system!</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[New Guidance Published]]></title>
<link>https://mega.co.nz/#blog_20</link>
<pubDate>Wed, 14 Aug 2013 09:22:39 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_20</guid>
<description><![CDATA[MEGA has today published its Guidance on Requesting User Information or "Takedown" of User Data which comes into force]]></description>
<content:encoded><![CDATA[<p>MEGA has today published its <a href="#takedown">Guidance on Requesting User Information or "Takedown" of User Data</a> which comes into force from 23 August 2013.</p><p class="small-pad-paragraph">The Guidance describes how MEGA will look to achieve the balance between maintaining industry-leading levels of confidentiality of user information and data with the lawful constraints on privacy. It is aimed at providing transparency to everyone interested in MEGA's services and consistency in actions.</p><p class="small-pad-paragraph">Users of MEGA's services should note that the Guidance does not modify or create additional obligations. It only provides guidance as to how MEGA will generally act in relation to MEGA's <a href="#terms">terms of service</a>, <a href="#privacy">privacy policy</a> and <a href="#copyright">copyright infringement</a> policy in addition to all applicable laws.</p><p class="small-pad-paragraph">Mega had published a <a href="#blog_16">draft policy</a>, and thanks everyone who provided very valuable comments. These comments have been fully considered and incorporated in the final guidance published today.</p><p class="small-pad-paragraph">Transparency of intentions and consistency of actions are very important in promoting confidence in, and understanding of, MEGA's services. We hope such actions will also be adopted by every other provider of online services. This will help raise the trust and appropriate use of Internet services.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Security Matters]]></title>
<link>https://mega.co.nz/#blog_19</link>
<pubDate>Sat, 20 Jul 2013 10:24:23 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_19</guid>
<description><![CDATA[Perfect Forward Secrecy, new <a href="#chrome">Chrome App</a>, Vulnerability Rewards Update and Content Security Policy]]></description>
<content:encoded><![CDATA[<p class="strong-paragraph">1. Perfect forward secrecy</p><p class="small-pad-paragraph">Sparked by a recent article published by Netcraft, <a href="http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html" target="_blank">"SSL: Intercepted today, decrypted tomorrow"</a>, some users voiced concerns about MEGA's lack of PFS support. Unfortunately, the authors only tested our static utterly non-secret content servers. The servers they <i>should</i> have checked (the API request handlers) do support PFS.</p><p class="strong-paragraph">2. Root server / SSL risk mitigation through our Chrome App</p><p class="small-pad-paragraph">MEGA is quite resilient against attacks on its distributed static content servers. However, you still have to trust three entities when you load <a href="https://mega.co.nz/">https://mega.co.nz/</a> in your browser: Us, our static root server cluster and all certification authorities that your browser trusts (or all relevant DNS servers and upstream ISPs). Concerned? To eliminate the latter two, we're introducing a <a href="#chrome">Chrome App</a> that loads all of MEGA's JavaScript code from your local machine. Updates to the app are cryptographically signed — by us, not by an entity that falls under the jurisdiction of <a href="http://en.wikipedia.org/wiki/National_security_letter" target="_blank">National Security Letters</a>, which unfortunately precludes offering the app through the Chrome Web Store. The code installed by the app is open to public scrutiny, and if you turn off automatic updates, nobody can sneakily plant a trojaned version on your computer any more — not even us.</p><p class="small-pad-paragraph">A similar extension for Mozilla Firefox is currently in the making, which will also feature an enhanced download engine and other improvements.</p><p class="strong-paragraph">3. Vulnerability Rewards Update / Content Security Policy</p><p class="small-pad-paragraph">It has been four months since the last bug bounty was paid (by the way, security holes in our newly released <a href="#dev">MEGA SDK</a>'s C++ code qualify — please have a look).</p><p class="small-pad-paragraph">As seven out of the ten vulnerabilities that earned a reward were XSS issues, we have added a <a href="http://en.wikipedia.org/wiki/Content_Security_Policy" target="_blank">content security policy (CSP)</a>, making it much more difficult to exploit these successfully. Please use a <a href="http://caniuse.com/contentsecuritypolicy" target="_blank">browser with CSP support</a>.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Kia ora, hello from New Zealand.]]></title>
<link>https://mega.co.nz/#blog_18</link>
<pubDate>Wed, 10 Jul 2013 22:05:09 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_18</guid>
<description><![CDATA[I am Vikram Kumar, Chief Executive Officer (CEO) of MEGA. I've been in this role for some time now and thought it was time to reach out to you.<br>Thank you! Let me start by thanking you.]]></description>
<content:encoded><![CDATA[<p>I am Vikram Kumar, Chief Executive Officer (CEO) of MEGA. I've been in this role for some time now and thought it was time to reach out to you.</p><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/blog-img7.png" class="blog-left-image"><p class="blog-p-left-pad"><strong>Thank you!</strong><br><br>Let me start by thanking you. Whether you have already signed up to use MEGA or are thinking about it, you are the reason why MEGA exists.<br><br>MEGA's rapid growth in the five months since launch is an indicator of your overwhelming support.</p><div class="clear"></div><p class="small-pad-paragraph">To cater to the massive demand for storage and bandwidth, MEGA has deployed additional storage nodes in Luxembourg and New Zealand. The latter will also improve latency for MEGA users in Australia, Pacific Islands, and USA West Coast.</p><p class="small-pad-paragraph">We don't take your support lightly. The MEGA team is committed to keeping the service as quick, easy to use, and uncluttered as possible. We appreciate that you want a reliable service, one that you can trust. As a small gesture of thanks, MEGA is not enforcing the free 50 GB storage limit at present (but, yes, we will need to enforce that at some point in the future so getting a Pro account is a good idea).</p><p class="strong-paragraph">Apps and desktop client</p><p class="small-pad-paragraph">You have been telling us for a while now that apps (Android, iOS) as well as a desktop synchronisation client are very valuable. The MEGA team have been busy working on these, including working with others to build these as quickly as possible.</p><p class="small-pad-paragraph">A foundation requirement for these efforts has been the development of a Software Development Kit (SDK). The SDK makes it much easier and more secure for developers to use MEGA for their own apps and services. The apps and desktop synchronisation clients also use the SDK. Getting it right has therefore been of critical importance. It is also an extremely complex undertaking. This is why it has taken longer than we expected.</p><p class="small-pad-paragraph">The good news is that the <a href="#dev">beta version of the SDK</a> is done. We've also launched an <a href="#affiliates">Affiliate Program</a> to partner with interested people and organisations in driving and jointly benefitting from innovative services using MEGA as a platform. The official <a href="https://play.google.com/store/apps/details?id=com.flyingottersoftware.mega" target="_blank">Android app</a> has also been a big hit.</p><p class="small-pad-paragraph">All of this should give you confidence that remaining apps and desktop synchronisation clients are moving ahead as well.</p><p class="small-pad-paragraph">You have also asked for messaging (email, chat, etc.) from MEGA with all the benefits of end-to-end encryption. We are working on this too.</p><p class="small-pad-paragraph">All of these service development efforts require the best software engineers in the world. MEGA is looking for lead developers (details at <a href="#blog_14">mega.co.nz/#blog_14</a>) to help deliver on your expectations from us.</p><p class="strong-paragraph">Your comments, questions</p><p class="small-pad-paragraph">I will periodically use this blog to keep you updated with happenings at MEGA and to better explain MEGA's progress of being the world's Privacy Company.</p><p class="small-pad-paragraph">In the meantime, you can always email me your comments and questions at <a href="mailto:[email protected]">[email protected]</a>. Depending on the volume of your email, I may not be able to answer each of them individually. However, I promise to read each one and to take up common comments and questions in future blog posts.</p><p class="small-pad-paragraph">If you haven't yet checked out MEGA's Facebook page, take a look at <a href="http://www.facebook.com/OfficialMEGA" target="_blank">facebook.com/OfficialMEGA</a></p><p class="small-pad-paragraph">Best wishes and thank you once again,<br><i>Vikram</i></p>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGA launches SDK and Affiliate program]]></title>
<link>https://mega.co.nz/#blog_17</link>
<pubDate>Mon, 08 Jul 2013 12:00:10 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_17</guid>
<description><![CDATA[Today, MEGA launches its C++ <a href="#dev">SDK (software development kit)</a>, enabling developers to access MEGA's API functionality without first having to implement thousands of lines]]></description>
<content:encoded><![CDATA[<p>Today, MEGA launches its C++ <a href="#dev">SDK (software development kit)</a>, enabling developers to access MEGA's API functionality without first having to implement thousands of lines worth of low-level functionality. Support for other languages will be added as soon as possible.</p><p>To incentivise the development of great client applications, MEGA also launches an <a href="#affiliates">affiliate program</a> that allows developers to receive a share of the revenue coming from their user base.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Draft Law Enforcement and Takedown Requests Policy]]></title>
<link>https://mega.co.nz/#blog_16</link>
<pubDate>Mon, 08 Jul 2013 10:53:30 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_16</guid>
<description><![CDATA[MEGA invites your views and comments on its draft Law Enforcement and Takedown Requests Policy. This describes how MEGA will generally act to protect the privacy]]></description>
<content:encoded><![CDATA[<p>MEGA invites your views and comments on its draft Law Enforcement and Takedown Requests Policy. This describes how MEGA will generally act to protect the privacy of the users of its services within the legal framework in which it operates.</p><p class="small-pad-paragraph">Please send your feedback by email to <a href="mailto:[email protected]">[email protected]</a>. Your comments will help to ensure that MEGA gets it right. The policy finally adopted will be published on MEGA's website in due course.</p><p class="strong-paragraph">Why a policy is required</p><p class="small-pad-paragraph">MEGA strives for transparency of intentions and consistency of actions. People put their trust in MEGA and it is important for expectations to be well informed.</p><p class="small-pad-paragraph">Recently, there have been rolling revelations of how governments around the world are spying on Internet activities. In the name of national security and protecting economic interests, governments are secretly collecting and storing everything people do online. While further revelations will illuminate the full extent of ubiquitous surveillance globally, there is no doubt that protecting privacy online needs routine encryption.</p><p class="small-pad-paragraph">These revelations have raised questions of how popular, leading online services headquartered in USA cooperate (or are forced to cooperate) with governments. Much of this is speculation as the relationship and practices are kept secret by the law and gag orders.</p><p class="small-pad-paragraph">MEGA is subject to New Zealand jurisdiction and law. Within the applicable legal framework, there is some latitude for organisations to make choices of the extent and nature of cooperating with law enforcement and other authorities. MEGA, as The Privacy Company, intends to act so as to maximise privacy protection to the extent possible and appropriate within the applicable laws.</p><p class="strong-paragraph">Lawful use of MEGA's services</p><p class="small-pad-paragraph">Cloud storage and collaboration services are still in their infancy. People and businesses are constantly finding new and innovative ways to use and benefit from such services. MEGA encourages and supports the widest range of lawful use of its services.</p><p class="small-pad-paragraph">MEGA was designed and operates with this in mind. As an example, MEGA was architected to protect privacy rather than enable anonymity.</p><p class="small-pad-paragraph">The reality is that MEGA's services are overwhelmingly used for lawful purposes. For example, MEGA receives 50-100 takedown notices daily for alleged copyright infringement. It has received just one warrant from law enforcement authorities for taking down stored material since launch.</p><p class="small-pad-paragraph">For context, Google gets over half a million copyright removal notices each day according to its <a href="http://www.google.com/transparencyreport/removals/copyright/" target="_blank">Transparency Report</a>. Twitter <a href="https://transparency.twitter.com/copyright-notices" target="_blank">reports</a> getting 3,268 notices for the second half of 2012. From another perspective, Microsoft has <a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/" target="_blank">reported</a> getting 75,378 law enforcement requests in 2012 while Facebook <a href="http://newsroom.fb.com/News/636/Facebook-Releases-Data-Including-All-National-Security-Requests" target="_blank">reports</a> getting between 9,000 and 10,000 requests for user data from government entities in the second half of 2012.</p><p class="strong-paragraph">Your views</p><p class="small-pad-paragraph">Developing the draft Law Enforcement and Takedown Requests Policy has been a complex undertaking as it requires taking into account and balancing numerous legal, business and technical perspectives. Your comments and views are invaluable in helping MEGA getting the final, adopted policy right. Thank you for taking the time and effort to do so. Please note that the draft policy is not a standalone document. It needs to be looked at in the context of the <a href="#terms">Terms of Service</a>, <a href="#privacy">Privacy Policy</a>, <a href="#copyright">Copyright</a> terms, and applicable laws.</p><p class="strong-paragraph">Draft Law Enforcement and Takedown Requests Policy</p><p class="small-pad-paragraph">(You can also download the draft policy as a <a href="https://eu.static.mega.co.nz/Law_Enforcement_and_Takedown_Requests_draft.pdf">PDF document</a>)</p><p class="strong-paragraph">Overview</p><p class="small-pad-paragraph">MEGA is 'The Privacy Company' and values the privacy of the users of its services. The company is committed to ensuring the highest level of security and confidentiality of data that users entrust to it. However, privacy is not an absolute right and is subject to lawful limitations.</p><p class="small-pad-paragraph">This policy describes how MEGA will generally act to achieve that balance and, in particular, the approach it will take to requests in criminal and civil actions against or involving its users. The policy is aimed at providing transparency to everyone interested in MEGA's services and consistency in actions.</p><p class="small-pad-paragraph">THIS POLICY IS PROVIDED FOR ASSISTANCE AND GUIDANCE ONLY. IT DOES NOT CREATE ANY LEGALLY BINDING OBLIGATIONS ON THE PART OF MEGA AND MEGA BEARS NO LIABILITY WHATSOEVER FOR COMPLYING OR NOT COMPLYING WITH IT, AS IT SEES FIT, AT ANY TIME. ALL LIMITATIONS AND EXCLUSIONS OF LIABILITY SET OUT IN MEGA'S <a href="#terms">TERMS OF SERVICE</a> APPLY EQUALLY TO THIS POLICY.</p><p class="small-pad-paragraph">MEGA reserves the right, unless required otherwise by applicable law, to provide differing levels and categories of information in response to different requests. Persons making a request should first check with MEGA what information will be available, particularly before applying for a production order under the General Policy below.</p><p class="strong-paragraph">Principles</p><ul class="ul-small-pad"><li>The fundamental privacy-protective design of MEGA's services underlies MEGA's approach to law enforcement and takedown requests. This includes user control over the encryption/decryption keys as well as the extent and manner to which their files/folders are shared.</li><li>This policy will be publicly available, including publication on MEGA's website. MEGA may also periodically publish a summary of requests received and actions taken under this policy.</li><li>Separate policy provisions will apply to emergency response, child exploitation material, and allegations of copyright or other intellectual property infringement. These are dealt with separately below.</li><li>Even if the decryption key is provided to staff or otherwise publicly available, MEGA generally will not view, or attempt to view, files against which action is requested but it reserves the right to do so where the file has been decrypted if it considers necessary or appropriate. MEGA is not obliged to take action unless required to do so by applicable law but any action will be undertaken objectively, based only on the information provided by third parties, this policy, its <a href="#terms">terms of service</a> and its <a href="#privacy">privacy policy</a>. Where there is any inconsistency between those documents, the terms of service prevail.</li><li>MEGA will promptly inform the user of any action taken where possible provided it considers it appropriate or is required to do so by applicable law.</li><li>MEGA may amend, replace or withdraw this policy temporarily or permanently from time to time as it sees fit. MEGA will generally endeavour to give advance notice if possible, before changes to this policy come into effect.</li><li>Applicable law under this policy is New Zealand law. However, MEGA may, if it chooses to do so, without being obliged to do so, and without submitting itself to any other jurisdiction's law or courts or tribunals, accept requests made by and assist non-New Zealand law enforcement authorities and civil claimants in whole or in part. It may decline to do so for any reason or no reason while being guided by the Principles detailed above and the trust reposed in MEGA by its users.</li></ul><p class="strong-paragraph">General Policy</p><ul class="ul-small-pad"><li>The provisions in this section apply to all law enforcement and takedown requests other than those for Emergency Response, alleged Child Exploitation Material, alleged Copyright Infringing Material or alleged Other Intellectual Property Infringing Material (for which, see below).</li><li>MEGA will generally only take action when <strong>required</strong> to do so by applicable law or a Court or law enforcement authority with appropriate jurisdiction. Generally, this means a 'production order' as per Subpart 2 of Part 3 of the <a href="http://www.legislation.govt.nz/act/public/2012/0024/latest/DLM2136536.html" target="_blank">Search and Surveillance Act 2012</a> is required rather than simply a formal or informal request for information and/or action.</li><li>The information to be provided or action to be taken by MEGA shall be as specified in the relevant law or order, subject to MEGA being technically able to provide that information or take that action. As noted above, persons making requests via production order should contact MEGA first to see what information may be made available.</li></ul><p class="strong-paragraph">Emergency Response</p><ul class="ul-small-pad"><li>This is defined as a situation where, in the expert judgement of a senior officer of the New Zealand Police or similar law enforcement officer or authority, MEGA is assured that the person making the request has valid reasons to believe, based on reasonable evidence, that disclosure or action is necessary to prevent or lessen an imminent and serious threat (as defined in section 2(1) of the <a href="http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html" target="_blank">Privacy Act 1993</a>) to:<ul class="ul-small-pad" style="padding-top:10px;"><li>public health or public safety;</li><li>the life or health of an individual or individuals</li></ul> and where the person giving such assurance confirms that the threat is of such imminence that there is not time to obtain a production order.</li><li>If satisfied as to the above, MEGA may in its discretion accept a request in such situations in good faith. In doing so, MEGA will be relying on the assurances given by the person making such request and will look to them and their organisation to cover any costs, damages, penalties, compensation or other liability should that assurance turn out to be incorrect or wrongly given for any reason.</li><li>The information to be provided or action to be taken by MEGA shall be as specified by, and agreed with, the appropriately designated officer.</li><li>MEGA will provide the New Zealand Police and other agencies approved by MEGA with the mobile phone number and email address of contact person(s) who will act on behalf of MEGA in an emergency response situation.</li></ul><p class="strong-paragraph">Child Exploitation Material</p><ul class="ul-small-pad"><li>MEGA does not condone, authorise, support or knowingly facilitate the storage or sharing of objectionable material as defined in section 3 of the <a href="http://www.legislation.govt.nz/act/public/1993/0094/latest/DLM312895.html" target="_blank">Films, Videos, and Publications Classification Act 1993</a>. MEGA will act under the General Policy set out above in respect of all objectionable material and reserves the rights set out in its terms of service to take down or disable access to such material as it sees fit.</li><li>However, MEGA views child exploitative material as defined in sections 3(1A) and 3(2)(a) of the <a href="http://www.legislation.govt.nz/act/public/1993/0094/latest/DLM312895.html" target="_blank">Films, Videos, and Publications Classification Act 1993</a> as worthy of special treatment.</li><li>Where, in the expert judgement of an Inspector of Publications of the New Zealand Department of Internal Affairs, Censorship Compliance Unit or similar authority acceptable to MEGA, MEGA is assured that the person making a request has valid reasons to believe, based on reasonable evidence, that disclosure is necessary to gather evidence in relation to an active investigation involving child exploitation material, MEGA will take such action and make such disclosures as it may agree in its discretion with the person making such request.</li></ul><p class="strong-paragraph">Allegations of Copyright Infringement</p><ul class="ul-small-pad"><li>Users are warned in MEGA's terms of service and when using the service they must comply with all laws including copyright and other intellectual property laws. This includes, but is not limited to, a warning when generating a link for sharing files/folders in the File Manager.</li><li>MEGA will publish on its website the information to be provided, and statements to be made by copyright owners or their duly authorised agents/representatives, to notify MEGA of an alleged copyright infringement.</li><li>All copyright infringement notices should be made via the <a href="#copyrightnotice">specific form</a> published on MEGA's website. All requests by other channels, including email, may be returned to sender with a request to use the online form before they are actioned.</li><li>The notice provider of alleged copyright infringement shall be given the option of requesting either removal of link(s) to an allegedly infringing file or removal of all file(s) relating to a specific link/URL.</li><li>MEGA will act on copyright infringement notices in accordance with its <a href="#copyright">copyright infringement policy</a>.</li></ul><p class="strong-paragraph">Other Intellectual Property Infringement</p><ul class="ul-small-pad"><li>MEGA will act in response to allegations of other forms of intellectual property infringement (e.g. trade mark infringement) in broadly similar fashion as for copyright infringement, reserving to itself the same discretions, rights and protections.</li><li>Notices of alleged intellectual property infringement other than copyright infringement, setting out full details similar to those required for copyright infringement notices, should be sent to <a href="mailto:[email protected]">[email protected]</a>.</li></ul><p class="strong-paragraph">Exceptions</p><p class="small-pad-paragraph">Any action by MEGA contrary to this policy shall only be undertaken with the prior written authorisation of the Chief Executive Officer.</p><p class="strong-paragraph">Changes to Policy</p><p class="small-pad-paragraph">All changes to this policy shall be notified via a post in MEGA's blog, including the date when the new policy shall come into force (which may be immediately on posting if necessary or appropriate). The policy published online at MEGA's website shall always be the latest, updated one in force.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGA launches Android app]]></title>
<link>https://mega.co.nz/#blog_15</link>
<pubDate>Thu, 04 Jul 2013 06:39:53 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_15</guid>
<description><![CDATA[Our official Android app is now available free of charge from the <a href="https://play.google.com/store/apps/details?id=com.flyingottersoftware.mega" target="_blank">Google Play Store</a>.<br>Features:]]></description>
<content:encoded><![CDATA[<p>Our official Android app is now available free of charge from the <a href="https://play.google.com/store/apps/details?id=com.flyingottersoftware.mega" target="_blank">Google Play Store</a>.</p><p class="strong-paragraph">Features:</p><ul class="ul-small-pad"><li>Browse your MEGA cloud storage account</li></ul><ul class="ul-small-pad"><li>Fast up- & downloading</li></ul><ul class="ul-small-pad"><li>Camera sync: Automatically upload your photos and videos to MEGA</li></ul><ul class="ul-small-pad"><li>Export and send file and folder links</li></ul><ul class="ul-small-pad"><li>Image thumbnails</li></ul><ul class="ul-small-pad"><li>Create, delete, rename and move files and folders</li></ul><p>We appreciate your <a href="mailto:[email protected]">feedback</a> and will accommodate feature requests and fix reported bugs swiftly. Our iOS app and Windows sync client are currently in the final stages of development and will follow suit.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Join the MEGA team. We're hiring!]]></title>
<link>https://mega.co.nz/#blog_14</link>
<pubDate>Wed, 19 Jun 2013 21:13:45 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_14</guid>
<description><![CDATA[MEGA is no ordinary start-up. Launched in January this year, we've already got more than 3 million people using our cloud storage and collaboration services]]></description>
<content:encoded><![CDATA[<p class="blog-paragraph-big-lines"><strong>Location:</strong> New Zealand / anywhere in the world<br><strong>Type:</strong> Full time++</p><p class="small-pad-paragraph"><strong>MEGA</strong> is no ordinary start-up. Launched in January this year, we've already got <strong>more than 3 million people</strong> using our cloud storage and collaboration services. And that number continues to grow as we are striving to add functionality and launch new services as quickly as possible.</p><p class="small-pad-paragraph">These are not ordinary jobs. We offer cutting-edge technology development, global-scale operations, aggressive growth, and the best minds as colleagues. This is a unique opportunity to share the excitement of a company driving new standards in privacy and security online.</p><div class="blog-new-full-div2"></div><div class="blog-jobs-icon you">You</div><p class="small-pad-paragraph">You are right up there among the best in the world as far as your technical skills go. But, more than that, you have the 'soft skills' of team leadership and mentoring. You are going to be an integral part of MEGA's technical nucleus, and you will also help building a strong team of outstanding talents around it. In short, you deserve the challenge that only MEGA can provide.</p><p class="small-pad-paragraph">You will have many years of experience and be able to demonstrate code that makes our CTO sit up and determined to hire you. Naturally, we expect that you fit into the team and become a source of positive energy.</p><div class="blog-new-full-div2"></div><div class="blog-jobs-icon salary">Salary</div><p class="small-pad-paragraph">We expect to pay well for your skills and the many hours of work you'll put in.</p><p class="small-pad-paragraph">MEGA is also developing ways to allow our key staff to benefit directly from our stellar growth.</p><div class="blog-new-full-div2"></div><div class="blog-jobs-icon location">Location</div><p class="small-pad-paragraph">As you will soon be leading and mentoring others, we prefer candidates based in New Zealand. However, to get the best in the world, we are open to discussing individual arrangements.</p><div class="blog-new-full-div2"></div><p class="strong-paragraph"> MEGA is looking for both server-side and client-side skills. You could specialise in either of them but if you are strong in both, that's a huge advantage. The specific skill sets are:</p><div class="blog-jobs-icon server-side">Server-side</div><ul class="ul-small-pad"><li>Advanced UNIX/Linux network / I/O programming</li><li>Programming/scripting environments: C/C++, Perl, Python, PHP</li><li>System architecture</li><li>Data modelling</li><li>Outstanding analytical, conceptual, problem-solving and troubleshooting skills</li><li>System administration and security</li><li>Project management</li></ul><div class="blog-jobs-icon client-side">Client-side</div><ul class="ul-small-pad"><li>Extensive JavaScript experience</li><li>Familiar with the latest HTML5 developments</li><li>Familiar with regular web development: HTML & CSS</li><li>Above-average understanding of cryptography</li><li>Strong experience with jQuery</li><li>Ability to document and create and maintain JavaScript coding guidelines</li><li>Awareness of JavaScript security pitfalls (XSS et al.)</li><li>Cross-browser testing & troubleshooting</li></ul><div class="blog-new-full-div2"></div><p class="strong-paragraph">To Apply:</p><p class="small-pad-paragraph"><a href="mailto:[email protected]">Mail</a> us your CV and some sample code. Tell us why you are perfect for MEGA.<br><br>We are really excited to expand the MEGA team and thank you for taking the time to apply.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Event notifications and zipped downloads]]></title>
<link>https://mega.co.nz/#blog_13</link>
<pubDate>Sun, 19 May 2013 22:30:30 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_13</guid>
<description><![CDATA[MEGA no longer leaves you in the dark about what is happening inside your shared folders. Your <a href="#notifications">event notification timeline</a> is now available under the new cloud icon in the top menu]]></description>
<content:encoded><![CDATA[<p>MEGA no longer leaves you in the dark about what is happening inside your shared folders. Your <a href="#notifications">event notification timeline</a> is now available under the new cloud icon in the top menu bar and displays all relevant activities of your cloud collaboration partners. Selecting a "files added" entry takes you directly to the affected folder and marks the new files.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/cloud-zip.png" class="blog-left-image clouds"><p class="blog-p-left-pad clouds"><strong>Folders or multiple files</strong> can now be downloaded as a <strong>.zip archive</strong> by selecting "Download as ZIP" from their context menu (right mouse button). This is especially convenient for preserving a transfer's subfolder structure.</p><div class="clear"></div><p class="strong-paragraph">The feature is experimental and comes with the following caveats:</p><ul class="ul-small-pad"><li>No ZIP64 support yet: All archived files as well as the entire archive must be smaller than 4 GB.</li><li>Uploads would sometimes restart from scratch in case of intermittent network issues. This has been fixed.</li></ul><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/cloud-resume.png" class="blog-left-image clouds"><p class="blog-p-left-pad clouds">File transfers can now be <strong>halted and resumed</strong>, and transfer settings (the number of parallel connections, upload speed limit, identical file skipping and SSL) can be modified during a batch transfer and will take effect once the next file starts.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Browser Update: Firefox 20 now MEGA approved]]></title>
<link>https://mega.co.nz/#blog_12</link>
<pubDate>Tue, 07 May 2013 09:39:31 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_12</guid>
<description><![CDATA[Starting with version 20, Mozilla Firefox finally supports the tiny JavaScript API detail that we had been craving for, making it the preferred browser to use MEGA with]]></description>
<content:encoded><![CDATA[<p>Starting with version 20, Mozilla Firefox finally supports the tiny JavaScript API detail that we had been craving for, making it the preferred browser to use MEGA with (unless you need recursive folder uploads, which remains a Chrome specialty).</p><p class="strong-paragraph">The revised MEGA browser compatibility table:</p><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/ff-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Firefox 20+:</div><div class="clear"></div><p><span class="blog-new-positive"></span><span class="blog-new-num-txt positive-negative-txt">Very stable thanks to proper memory management</span><span class="clear"></span><span class="blog-new-positive"></span><span class="blog-new-num-txt positive-negative-txt">Extremely fast JavaScript engine</span><span class="clear"></span><span class="blog-new-positive"></span><span class="blog-new-num-txt positive-negative-txt">Excellent text rendering, with proper character spacing/kerning even under MacOS</span><span class="clear"></span><span class="blog-new-negative"></span><span class="blog-new-num-txtpositive-negative-txt">No folder uploads</span><span class="clear"></span><span class="blog-status"><span class="blog-new-strong-recomend"></span><span class="blog-new-num-txt positive-negative-txt"><strong>Highly Recommended !!!</strong></span></span></p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/chrome-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Chrome</div><div class="clear"></div><p><span class="blog-new-positive"></span><span class="blog-new-num-txt positive-negative-txt">Supports recursive folder uploads</span><span class="clear"></span><span class="blog-new-positive"></span><span class="blog-new-num-txt positive-negative-txt">Very fast JavaScript engine</span><span class="clear"></span><span class="blog-new-negative"></span><span class="blog-new-num-txtpositive-negative-txt">Memory management flaws cause occasional crashes, especially under UNIX/Linux and on 32-bit platforms</span><span class="clear"></span><span class="blog-new-negative"></span><span class="blog-new-num-txtpositive-negative-txt">Anemic text rendering, erratic character spacing under MacOS</span><span class="clear"></span><span class="blog-status"><span class="blog-new-recomend"></span><span class="blog-new-num-txt positive-negative-txt"><strong>Recommended </strong> (on 64-bit operating systems)</span></span></p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/ie10-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Internet Explorer 10:</div><div class="clear"></div><p><span class="blog-new-positive"></span><span class="blog-new-num-txt positive-negative-txt">Very fast JavaScript engine</span><span class="clear"></span><span class="blog-new-positive"></span><span class="blog-new-num-txt positive-negative-txt">Excellent text rendering</span><span class="clear"></span><span class="blog-new-negative"></span><span class="blog-new-num-txtpositive-negative-txt">No folder uploads</span><span class="clear"></span><span class="blog-status"><span class="blog-new-not-recomend"></span><span class="blog-new-num-txt positive-negative-txt"><strong>Not recommended </strong> (until msSaveBlob() is fixed)</span></span></p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/safari-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Safari 6:</div><div class="clear"></div><p><span class="blog-new-negative"></span><span class="blog-new-num-txtpositive-negative-txt">No support for writing files from within JavaScript (requiring a kludgy Flash-based workaround)</span><span class="clear"></span><span class="blog-new-negative"></span><span class="blog-new-num-txtpositive-negative-txt">No folder uploads</span><span class="clear"></span><span class="blog-new-negative"></span><span class="blog-new-num-txtpositive-negative-txt">Erratic character spacing under MacOS</span><span class="clear"></span><span class="blog-status"><span class="blog-new-not-recomend"></span><span class="blog-new-num-txt positive-negative-txt"><strong>Not recommended </strong></span></span></p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Mega Limited appoints new CFO]]></title>
<link>https://mega.co.nz/#blog_11</link>
<pubDate>Wed, 01 May 2013 23:57:29 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_11</guid>
<description><![CDATA[MEGA is pleased to announce the appointment of Stephen Hall as its Chief Financial Officer. MEGA CEO Vikram Kumar said: <i>MEGA received a large number of high quality applications</i>]]></description>
<content:encoded><![CDATA[<p>MEGA is pleased to announce the appointment of Stephen Hall as its Chief Financial Officer.</p><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/blog-img3.png" class="blog-left-image"><p class="blog-p-left-pad">MEGA CEO Vikram Kumar said: <br><span class="italic-quote"><span class="red">"</span> MEGA received a large number of high quality applications for the advertised position. We are delighted that this resulted in identifying Stephen as the best candidate, offering both financial and broad general management skills. Stephen's expertise and experience will be invaluable in rapidly building MEGA as a globally significant Internet services company.<span class="red">"</span></span></p><div class="clear"></div><p class="small-pad-paragraph"><span class="italic-quote"><span class="red">"</span> Stephen has been working as a consultant and was with Genesis Research and Development Corporation Ltd., both as Chief Executive and Head of Corporate Services. He has also worked with the St Lukes Group Ltd., Watercare Services Ltd., and various other companies in New Zealand and Australia..<span class="red">"</span></span></p><p class="small-pad-paragraph">Stephen has started work from 22nd April 2013. He is based in Auckland, New Zealand.</p><p class="small-pad-paragraph">New CFO Stephen Hall said:<span class="italic-quote"><span class="red">"</span> It is terrific to be working with a high growth New Zealand company that is using modern technology to supply services to global users and is showing amazing growth in user numbers. <span class="red">"</span></span></p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Going mobile]]></title>
<link>https://mega.co.nz/#blog_10</link>
<pubDate>Thu, 28 Mar 2013 09:32:11 -0400</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_10</guid>
<description><![CDATA[We have just launched our experimental mobile site. While certainly not a replacement for a full-blown app (which will follow suit), it does improve usability for those who are accessing]]></description>
<content:encoded><![CDATA[<p>We have just launched our experimental mobile site. While certainly not a replacement for a full-blown app (which will follow suit), it does improve usability for those who are accessing MEGA from a smartphone or tablet. We invite you to test it on your favourite device and let us know what you think.<br><br><strong>In other news...</strong></p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/mobile-download.png" class="blog-apps-icon news"><div class="blog-browser-title news"> If you were annoyed by some of your photo thumbnails appearing turned sideways, you will be pleased to know that EXIF orientation tags are now supported.</div><div class="clear"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/mobile-ipv6.png" class="blog-apps-icon news"><div class="blog-browser-title news"> While still low in absolute terms, we see an encouraging uptrend in the popularity of IPv6 among our users.</div><div class="clear"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/mobile-pro.png" class="blog-apps-icon news"><div class="blog-browser-title news"> If you need more space in the cloud, you can now conveniently upgrade your account to Pro status through PayPal.</div><div class="clear"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/api-docs.png" class="blog-apps-icon news"><div class="blog-browser-title news"> App developers, rejoice: Our C++ SDK is nearing completion! Expect a compact and lightweight implementation of the MEGA API with support for the full spectrum of cryptographic interactions. It is also likely to be a fresh opportunity to earn vulnerability rewards.</div>]]></content:encoded>
</item>
<item>
<title><![CDATA[A quick update from the engine room]]></title>
<link>https://mega.co.nz/#blog_9</link>
<pubDate>Thu, 07 Mar 2013 13:27:46 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_9</guid>
<description><![CDATA[A quick update from the engine room]]></description>
<content:encoded><![CDATA[<img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/rewards.png" class="blog-apps-icon"><div class="blog-browser-title"> Vulnerability Rewards</div><div class="clear"></div><p>Two more security researchers have collected a bounty (both in relation to XSS vulnerabilities), bringing the total number of rewards to nine. Thank you!</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/folder-links.png" class="blog-apps-icon"><div class="blog-browser-title"> Folder Links</div><div class="clear"></div><p>Links to folders can now be exported in the same manner as links to files.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/downloads.png" class="blog-apps-icon"><div class="blog-browser-title"> Folder Downloads</div><div class="clear"></div><p>Complete folders (all files contained in them, including subfolders) can now be downloaded by selecting "Download" from their context menu.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/ff-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Firefox Support</div><div class="clear"></div><p>Coincidentally, one of the Mozilla Foundation's ten offices worldwide is located right around the corner from us, and we expect Firefox to soon join Chrome in being able to efficiently write local files from within JavaScript. As a temporary stop-gap solution, we have built a simple Firefox extension that does exactly that. It also maintains the path structure when downloading folders.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/thumbs.png" class="blog-apps-icon"><div class="blog-browser-title"> Image Thumbnails</div><div class="clear"></div><p>A new icon view mode (activated through the button to the right of the search field) displays thumbnails for newly uploaded image files (supported formats: JPEG, PNG, GIF and BMP). To add thumbnails to your existing image files, simply download each of them once.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/api-docs.png" class="blog-apps-icon"><div class="blog-browser-title"> API documentation/software development kit</div><div class="clear"></div><p>With the API feature set stabilizing, we are now working on an official SDK that will provide an abstraction layer between the application and the low-level MEGA API calls, simplifying app development, guaranteeing correct handling of all client-side cryptography and ensuring interoperability.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/m-logo.png" class="blog-apps-icon"><div class="blog-browser-title"> Client Applications</div><div class="clear"></div><p>Coming shortly after the SDK. At this point, we would like to take our hats off to everybody who has managed to reverse-engineer our API logic and built a working client. We are pleased to see a growing number of remarkably good apps emerge, and we hope that our SDK will fuel that even further.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Vulnerability Rewards - The first week]]></title>
<link>https://mega.co.nz/#blog_8</link>
<pubDate>Sat, 09 Feb 2013 07:57:27 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_8</guid>
<description><![CDATA[It is time to report interim results of our vulnerability reward program. First of all, we wish to thank everybody who submitted bug reports and suggestions. We would also like to thank]]></description>
<content:encoded><![CDATA[<p>It is time to report interim results of our vulnerability reward program. First of all, we wish to thank everybody who submitted bug reports and suggestions. We would also like to thank those who reviewed our code, but came up empty. If your analysis is still ongoing - don't despair, the program is here to stay, and there is no deadline for submissions (other than the risk of someone else finding and reporting the bug you are working on before you do).</p><div class="blog-new-full-div2"></div><p class="strong-paragraph"> Vulnerabilities are classified by severity, from class I to VI:</p><p class="small-pad-paragraph"><strong>Severity class VI:</strong> Fundamental and generally exploitable cryptographic design flaws</p><p class="small-pad-paragraph"><strong>Severity class V:</strong> Remote code execution on core MEGA servers (API/DB/root clusters) or major access control breaches</p><p class="small-pad-paragraph"><strong>Severity class IV:</strong> Cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem)</p><p class="small-pad-paragraph"><strong>Severity class III:</strong> Generally exploitable remote code execution on client browsers (cross-site scripting)</p><p class="small-pad-paragraph"><strong>Severity class II:</strong> Cross-site scripting that can be exploited only after compromising the API server cluster or successfully mounting a man-in-the-middle attack (e.g. by issuing a fake SSL certificate + DNS/BGP manipulation)</p><p class="small-pad-paragraph"><strong>Severity class I:</strong> All lower-impact or purely theoretical scenarios</p><div class="blog-new-full-div2"></div><p class="strong-paragraph"> The Results</p><p class="small-pad-paragraph"><strong>Class V</strong> and <strong>VI</strong> vulnerabilities:</p><p class="small-pad-paragraph">- none reported -</p><p class="small-pad-paragraph"><strong>Class IV</strong> vulnerabilities:</p><ul class="ul-small-pad"><li>Invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster. Mitigating factors: No static content servers had been operating in untrusted data centres at that time, thus no elevated exploitability relative to the root servers, apart from a man-in-the-middle risk due to the use of a 1024 bit SSL key on the static content servers. Fixed within hours.</li></ul><p class="small-pad-paragraph"><strong>Class III</strong> vulnerabilities:</p><ul class="ul-small-pad"><li>XSS through file and folder names. Mitigating factors: None. Fixed within hours.</li><li>XSS on the file download page. Mitigating factors: Chrome not vulnerable. Fixed within hours.</li><li>XSS in a third-party component (ZeroClipboard.swf). Mitigating factors: None. Fixed within hours.</li></ul><p class="small-pad-paragraph"><strong>Class II</strong> vulnerabilities:</p><ul class="ul-small-pad"><li>XSS through strings passed from the API server to the download page (through three different vectors), the account page and the link export functionality. Mitigating factors - apart from the need to control an API server or successfully mounting a man-in-the-middle attack -: None. Fixed within hours.</li></ul><p class="small-pad-paragraph"><strong>Class I</strong> vulnerabilities:</p><ul class="ul-small-pad"><li>HTTP Strict Transport Security header was missing. Fixed. Also, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome.</li><li>X-Frame-Options header was missing, causing a clickjacking/UI redressing risk. Fixed.</li></ul><p class="small-pad-paragraph">We believe that it would be premature to draw any conclusions at this time - barely three weeks after our launch and one week into the program. It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction. Needless to mention that nobody cracked any of the brute-force challenges yet (please check back in a few billion billion years).</p><p class="small-pad-paragraph">We're looking forward to your future submissions, hopefully including some that address higher-level and conceptual issues!</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Mega Limited appoints new CEO]]></title>
<link>https://mega.co.nz/#blog_7</link>
<pubDate>Thu, 07 Feb 2013 03:57:46 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_7</guid>
<description><![CDATA[Today, interim CEO of MEGA Tony Lentino announced the appointment of former CEO of InternetNZ, Vikram Kumar, as the new CEO of MEGA.]]></description>
<content:encoded><![CDATA[<p>Today, interim CEO of MEGA Tony Lentino announced the appointment of former CEO of InternetNZ, Vikram Kumar, as the new CEO of MEGA. Mr. Lentino will maintain a seat as a director with MEGA.</p><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/blog-img7.png" class="blog-left-image"><p class="blog-p-left-pad"><span class="italic-quote"><span class="red">"</span> MEGA is delighted to welcome Vikram Kumar as its new CEO<span class="red">"</span></span>, said Lentino. <span class="italic-quote"><span class="red">"</span> I have assisted MEGA since its inception, putting time and energy into finding investors, setting up support staff and general overview of the company in its initial stage. Now MEGA runs on a day-to-day routine, and I am pleased to hand the role of CEO to Vikram who is an experienced leader in the Internet industry.<span class="red">"</span></span></p><div class="clear"></div><p class="small-pad-paragraph"><span class="italic-quote"><span class="red">"</span> MEGA is an exciting business and one that I am delighted to be joining <span class="red">"</span></span>, said Vikram Kumar. <br><span class="italic-quote"><span class="red">"</span> Since launch just over two weeks ago, the company has had some stellar successes, with over two million subscribers joining MEGA.co.nz. I look forward to building on this initial success to develop MEGA into a significant company on the international Internet stage.<span class="red">"</span></span></p><p class="small-pad-paragraph">Until recently, Vikram has been Chief Executive of InternetNZ, a non-profit organization promoting the vision of an 'open and uncapturable Internet'. In New Zealand, he has earlier worked for central government (State Services Commission) as well as Telecom in a variety of roles covering management, strategy, innovation, policy and programme management.</p><p class="small-pad-paragraph">Vikram brings a diverse range of skills and insights to MEGA. He takes great interest in the economic, social and cultural opportunities that the Internet provides and the challenges the Internet is facing such as privacy, security and openness.</p><p class="small-pad-paragraph">Mr. Lentino - owner of Instra Corporation and shareholder at MEGA - will maintain a seat as a director with MEGA and will continue to provide his entrepreneurial spirit and skills to the enterprise. "In addition to running the Instra business, I am happy to work alongside other MEGA executives, combining our abilities to create a global success", Mr Lentino says.</p><div class="blog-new-full-div2"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/mega.png" class="blog-new-logos"><div class="blog-browser-title large"> About Mega Limited</div><div class="clear"></div><p>MEGA.co.nz is a revolutionary cloud storage service providing up to 50GB of free space, on-the-fly encryption and extremely fast file transfers thanks to our innovative in-browser multiplexing technology. MEGA is the most secure service in the industry as it encrypts user's data in the browser 'on the fly' and decrypts only when using keys which are solely in the hands of our users. With over 2.5 Million registered users internationally, MEGA has become a serious contender in the cloud storage arena after only 2 weeks of operations. MEGA.co.nz was launched on Jan 20, 2013 in New Zealand.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/instra.png" class="blog-new-logos"><div class="blog-browser-title large"> About Instra Corporation Pty. Ltd</div><div class="clear"></div><p> Formed in 1997, Instra Corporation is a privately-owned company based in Auckland, New Zealand and Melbourne, Australia. Instra has expanded its initial domain name business from New Zealand and Australia into a leading, worldwide domain registrar. Instra Corporation supplies over 300 country domains worldwide and has direct accreditations with over 100 registries. Many companies and household brand names from around the world take advantage of Instra's unique and sophisticated Domain Management System to actively manage their online intellectual property. Instra has customers in over 160 countries.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[The MEGA Vulnerability Reward Program]]></title>
<link>https://mega.co.nz/#blog_6</link>
<pubDate>Sat, 02 Feb 2013 00:59:14 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_6</guid>
<description><![CDATA[Immediately after our launch, our security model and implementation came under intense crossfire, most of which turned out to be damp squibs]]></description>
<content:encoded><![CDATA[<p>Immediately after our launch, our security model and implementation came under intense crossfire, most of which turned out to be damp squibs (<a href="http://www.forbes.com/sites/andygreenberg/2013/01/21/researchers-warn-megas-new-encrypted-cloud-cant-keep-its-megasecurity-promises/" target="_blank">Forbes</a> and <a href="http://arstechnica.com/business/2013/01/megabad-a-quick-look-at-the-state-of-megas-encryption/" target="_blank">ars technica</a> published two of the worst examples). We have, however, also suffered three direct hits, and we want more! To improve MEGA's security, we are offering rewards to anyone reporting a previously unknown security-relevant bug or design flaw.</p><div class="blog-new-full-div2"></div><p class="strong-paragraph">What types of bugs qualify?</p><p class="small-pad-paragraph"><span class="blog-plus-sign"></span><span class="blog-new-num-txt">Remote code execution on any of our servers (including SQL injection)</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-plus-sign"></span><span class="blog-new-num-txt">Remote code execution on any client browser (e.g., through XSS)</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-plus-sign"></span><span class="blog-new-num-txt">Any issue that breaks our cryptographic security model, allowing unauthorized remote access to or manipulation of keys or data</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-plus-sign"></span><span class="blog-new-num-txt">Any issue that bypasses access control, allowing unauthorized overwriting/destruction of keys or user data</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-plus-sign"></span><span class="blog-new-num-txt">Any issue that jeopardizes an account's data in case the associated e-mail address is compromised</span><span class="clear"></span></p><div class="blog-new-full-div2"></div><p class="strong-paragraph">What types of bugs do not qualify?</p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Any issue requiring active victim participation, such as phishing and social engineering attacks</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Any issue resulting from users choosing weak passwords</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Any issue requiring a very significant number of server requests to exploit</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Any issue requiring a compromised client machine</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Any issue requiring an unsupported or outdated client browser</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Any issue requiring physical data centre access (see below for limited scope scenarios that allow for compromised servers)</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Vulnerabilities in third party-operated services (e.g. resellers)</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Any overloading/resource exhaustion/denial of service-type of attacks</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Anything relying on forged SSL certificates</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Anything requiring extreme computing power (2^60 cryptographic operations+) or a working quantum computer. This includes allegedly predictable random numbers - you qualify only if you are able to show an actual weakness rather than general conjecture.</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Any bugs that are unrelated to the integrity, availability and confidentiality of user data</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-minus-sign"></span><span class="blog-new-num-txt">Any claims that reading and understanding our JavaScript code is successful cryptanalysis in itself - while it may be cryptic, it is not encrypted</span><span class="clear"></span></p><div class="blog-new-full-div2"></div><p class="strong-paragraph"> Special scenarios</p><p class="small-pad-paragraph"><span class="blog-new-number">1</span><span class="blog-new-num-txt strong-header">Compromised static CDN node <span class="blog-dark">(*.static.mega.co.nz)</span></span><span class="clear"></span>Let's assume that you have compromised one of our static content servers and are able to manipulate the files (including all JavaScript code) served from it. Can you leverage that achievement to compromise our security? Disclaimer: Influencing user actions through modified image files, while indeed a potential vulnerability in this context, is excluded!</p><p class="small-pad-paragraph"><span class="blog-new-number">2</span><span class="blog-new-num-txt strong-header">Compromised user storage node <span class="blog-dark">(*.userstorage.mega.co.nz)</span></span><span class="clear"></span>Let's assume that you have gained access to one of our storage nodes and are able to manipulate it freely. You know that your victim is about to download a particular file residing on that node, but you don't have its key. Can you manipulate its content so that it still downloads without error?</p><p class="small-pad-paragraph"><span class="blog-new-number">3</span><span class="blog-new-num-txt strong-header">Compromised core infrastructure <span class="blog-dark">(*.api.mega.co.nz)</span></span><span class="clear"></span>This is the most extreme scenario. Let's assume that you have compromised our operational heart, the API servers. Can you trick API clients into surrendering usable keys for files in accounts that do not have any outgoing shares in them?</p><div class="blog-new-full-div2"></div><p class="strong-paragraph">Bonus bounty - earn the maximum reward: Brute-force challenge</p><p class="small-pad-paragraph"><span class="blog-new-arrow"></span><span class="blog-new-num-txt strong-header">Send us the key that decrypts this file:<span class="dev-new-input-block"><input value="https://mega.co.nz/#!FV4zmLKQ"></span></span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-arrow"></span><span class="blog-new-num-txt strong-header">Send us the password encoded in this signup confirmation link:<span class="dev-new-input-block"><input value="https://mega.co.nz/#confirmPErZw9BeV5MILaLUyKRg5VTmPfkhpozPvNZ2djiZ9dmf1f8RIgQAi1V"></span></span><span class="clear"></span></p><div class="blog-new-full-div2"></div><p class="strong-paragraph">How much can I earn?</p><p class="small-pad-paragraph">We offer up to EUR 10,000 per bug, depending on its complexity and impact potential.</p><p class="strong-paragraph">Who is eligible?</p><p class="small-pad-paragraph">The first finder of the bug. Bugs reported by third parties are typically not considered for a reward.</p><p class="strong-paragraph">What is the disclosure policy?</p><p class="small-pad-paragraph">You are free to disclose your finding to the general public after we confirm to you that the issue has been resolved.</p><p class="strong-paragraph">Who makes the decision?</p><p class="small-pad-paragraph">The decision whether you qualify and how much you earn is at our discretion, and while we will be fair and generous, you agree to accept our verdict as final.</p><p class="strong-paragraph">How do I submit my finding?</p><p class="small-pad-paragraph">Send an e-mail to <a href="mailto:[email protected]">[email protected]</a>.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Cat vs. Mice - 1:0]]></title>
<link>https://mega.co.nz/#blog_5</link>
<pubDate>Fri, 01 Feb 2013 00:52:05 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_5</guid>
<description><![CDATA[MEGA as a cloud storage provider is not required to police its users. For example, under the United States DMCA safe harbour, pursuant to 17 U.S.C. § 512(m)]]></description>
<content:encoded><![CDATA[<p>MEGA as a cloud storage provider is not required to police its users. For example, under the United States DMCA safe harbour, pursuant to 17 U.S.C. § 512(m), the DMCA safe harbour provisions are not conditioned upon a service provider "monitoring its service or affirmatively seeking facts indicating infringing activity." Section 512 represents a legislative determination that copyright owners must themselves bear the burden of policing for infringing activity - service providers are under no such duty.</p><p class="small-pad-paragraph">However, it has come to MEGA's attention that there are micro search engines that use our (M) logo and other MEGA branding without authorization. Worse, such site(s) were reported in a highly publicized manner and purport to be globally available search engines, but don't have their own DMCA takedown policy or registered DMCA agent..</p><p class="small-pad-paragraph">In addition, MEGA distinguishes itself from other major cloud storage providers through two important concepts: Privacy and security. Both are utterly eviscerated by making encryption keys public, a fact that is not only self-evident, but also made very clear in the MEGA user interface:</p><p class="small-pad-paragraph"><span class="italic-quote"><span class="red">" Caution:</span> MEGA's cryptographic security model depends on the confidentiality of the keys displayed above. Avoid transmitting them through insecure channels!.<span class="red">"</span></span></p><div class="blog-new-full-div2"></div><p class="strong-paragraph">In other news...</p><ul class="ul-small-pad"><li>Hotmail has solved the blackholing issue within hours - thank you!</li><li>You can now change your password. If you had chosen a weak one during sign-up, it's time to rectify that!</li><li>We have added password reset capability for the following scenarios:</li><ul><li>You are still logged in</li><li>You are not logged in, but your account is empty (password resets with data present are considerably more tricky - we do not want a breach of your e-mail account to jeopardize the integrity of your files - and will be addressed at a later stage)</li></ul><li>We have reduced Chrome's memory utilisation during the transfer of multi-gigabyte files.</li><li>We are still receiving occasional reports about failing large file transfers. If you observe one and believe that your Internet connection is fine, please get in touch at <a href="mailto:[email protected]">[email protected]</a>.</li><li>Under Linux, Chrome seems to be less stable than under Windows. We are investigating that.</li></ul>]]></content:encoded>
</item>
<item>
<title><![CDATA[MEGA's first week - a retrospective]]></title>
<link>https://mega.co.nz/#blog_4</link>
<pubDate>Sat, 26 Jan 2013 14:12:19 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_4</guid>
<description><![CDATA[It's been seven busy days for us since MEGA went live. As millions of users were hitting 50,000 freshly written and barely tested lines of code and dozens of newly installed servers]]></description>
<content:encoded><![CDATA[<p>It's been seven busy days for us since MEGA went live. As millions of users were hitting 50,000 freshly written and barely tested lines of code and dozens of newly installed servers, teething troubles were inevitable - it took us almost 72 hours to resolve the major bottlenecks, and we would like to apologize to all users who were affected.</p><div class="blog-new-full-div2"></div><p class="strong-paragraph"> As expected, the public debate about MEGA revolves primarily around our cryptographic security model and can be classified into five categories:</p><p class="small-pad-paragraph"><span class="blog-new-number">1</span><span class="blog-new-num-txt">Actual bugs. Two (an XSS hole and the invalid use of CBC-MAC as a secure hash) were reported by the community so far and fixed swiftly. To all the bright minds going through our amorphous code: Thank you for your efforts! We will make our JavaScript more readable and launch a bug bounty program shortly.</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">2</span><span class="blog-new-num-txt">Design flaws exacerbating the potential impact of weak user passwords. We acknowledge that our current approach is based on the assumption that all of our users choose strong passwords, which is probably a bit naive. We are going to improve the sign-up interface (better user education and rejection of overly weak passwords). We'll also reduce the offline password cracking risk for users who do use weak passwords and fall victim to someone intercepting their e-mail or obtaining their user record from our central database.</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">3</span><span class="blog-new-num-txt">Weak random number generation: We have added WebKit's crypto.getRandomValues() into the mix and will collect mouse/keyboard timing entropy explicitly before generating the RSA key pair rather than informing the user that we are doing so only after the generation has already started.</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">4</span><span class="blog-new-num-txt">Deduplication - clause 8 of our Terms of Service has caused some confusion and concern. The reality is quite harmless: We deduplicate based on the full encrypted file. That's it.</span><span class="clear"></span></p><p class="small-pad-paragraph"><span class="blog-new-number">5</span><span class="blog-new-num-txt">Polemic in the "if you can break SSL, you can break MEGA" category. No comment.</span><span class="clear"></span></p><div class="blog-new-full-div2"></div><p class="strong-paragraph"> Other issues:</p><ul class="ul-small-pad"><li>Within hours after the launch, Hotmail started blackholing our e-mails (silently discardingham is actually quite a rude thing to do!). Apparently, our sudden surge of activity triggered some heuristics designed to guard against spam botnets. Please do not use a Hotmail address to sign up while we're working with them to unblock our IP range.</li><li>Uploads would sometimes restart from scratch in case of intermittent network issues. This has been fixed.</li></ul><div class="blog-new-full-div2"></div><p class="small-pad-paragraph"> We would also like to thank everybody who submitted suggestions and feature requests. Our to-do list is growing!</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[A word on cryptography]]></title>
<link>https://mega.co.nz/#blog_3</link>
<pubDate>Tue, 22 Jan 2013 15:57:12 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_3</guid>
<description><![CDATA[The cloud storage market is dominated by players that do not take advantage of cryptography beyond HTTPS and server-side encryption. Since we set out to improve this]]></description>
<content:encoded><![CDATA[<p>The cloud storage market is dominated by players that do not take advantage of cryptography beyond HTTPS and server-side encryption. Since we set out to improve this rather dissatisfying situation three days ago, some news outlets have made attempts to dismantle our crypto architecture. Frankly, we were not too impressed with the results and would like to address the points that were raised:</p><div class="blog-new-full-div2"></div><p class="strong-paragraph"> ars technica: <span class="red">"Megabad: A quick look at the state of Mega's encryption"</span></p><p class="small-pad-paragraph"><span class="italic-quote"><span class="red">"</span> The key used to encrypt your Mega files and folders is stored on Mega's servers, rather than on your local computer.<span class="red">"</span></span></p><p class="small-pad-paragraph">This is correct - the only key that MEGA requires to be stored on the user side is the login password, in the user's brain. This password unlocks the master key, which in turn unlocks the file/folder/share/private keys.</p><p class="small-pad-paragraph"><span class="italic-quote"><span class="red">"</span> It is telling that there appears to be no password recovery mechanism anywhere in the Mega or log-on screens, nor any method of changing your password in the user control panel.<span class="red">"</span></span>Because the master AES-128 key is encrypted using your password, remembering the password is vital. Losing it means you don't just lose the ability to log on to the service - you lose the ability to decrypt your files, period.</p><p class="small-pad-paragraph">This is correct (and comes as no surprise) - however, this will change in the near future:</p><ul class="ul-small-pad"><li>A password change feature will re-encrypt the master key with your new password and update it on our servers</li><li>A password reset mechanism will allow you to log back into your account, with all files being unreadable. Now, if you have any pre-exported file keys, you can import them to regain access to those files. On top of that, you could ask your share peers to send you the share-specific keys, but that's it - the remainder of your data appears as binary garbage until you remember your password.</li></ul><p class="small-pad-paragraph"><span class="italic-quote"><span class="red">"</span> Without adding entropy, the "random" primes generated by math.random for use as RSA keys are really only pseudo-random and can be guessed.<span class="red">"</span></span>Because the master AES-128 key is encrypted using your password, remembering the password is vital. Losing it means you don't just lose the ability to log on to the service - you lose the ability to decrypt your files, period.</p><p class="small-pad-paragraph">This is correct - and quite a strange statement to make after conceding that mouse and keyboard entropy are indeed used to enhance Math.random(). We will, however, add a feature that allows the user to add as much entropy manually as he sees fit before proceeding to the key generation.</p><p class="small-pad-paragraph"><span class="blog-dark">[On deduplication]</span><span class="italic-quote"><span class="red">"</span> Whatever the underlying method, the fact that block deduplication exists is a blow against the "see no evil" approach taken by Mega.<span class="red">"</span></span></p><p class="small-pad-paragraph"><strong>Fact #1:</strong> Once this feature is activated, chunk MACs will indeed be stored on the server side, but they will of course be encrypted (and we will not use ECB!).</p><p class="small-pad-paragraph"><strong>Fact #2:</strong> MEGA indeed uses deduplication, but it does so based on the entire file post-encryption rather than on blocks pre-encryption. If the same file is uploaded twice, encrypted with the same random 128-bit key, only one copy is stored on the server. Or, if (and this is much more likely!) a file is copied between folders or user accounts through the file manager or the API, all copies point to the same physical file.</p><div class="blog-new-full-div2"></div><p class="strong-paragraph"> Forbes: <span class="red">"Megabad: A quick look at the state of Mega's encryption"</span></p><p class="small-pad-paragraph"><span class="italic-quote"><span class="red">"</span> So Mega, or anyone else who gains control of the Mega server sending the crypto algorithms, can turn off that encryption or steal the user's private key, which would allow decryption of all past and future uploads<span class="red">"</span></span></p><p class="small-pad-paragraph">Correct.</p><p class="small-pad-paragraph"><strong>Fact #1:</strong> Our FAQ states exactly that and warns people that do not trust us to refrain from logging into the site (but they could, in theory, still safely use MEGA through client apps from vendors they trust).</p><p class="small-pad-paragraph"><strong>Fact #2:</strong> Any software maker offering online application updates is able to plant Trojan code into specific targets' computers, with much more far-reaching consequences.</p><p class="small-pad-paragraph"><span class="italic-quote"><span class="red">"</span>If you can break SSL, you can break MEGA.<span class="red">"</span></span></p><p class="small-pad-paragraph">Yes. But if you can break SSL, you can break a lot of things that are even more interesting than MEGA.</p><p class="small-pad-paragraph"><span class="italic-quote"><span class="red">"</span> To make matters worse, Mega's SSL server seems to use weak 1024-bit encryption, rather than the 2048-bit encryption considered the minimum standard by many cryptographers for a decade. (This 2004 study, for instance, that declared 1024-bit keys would only be secure until 2006.)<span class="red">"</span></span></p><p class="small-pad-paragraph"><strong>Fact #1:</strong> https://mega.co.nz/ uses 2048-bit encryption.</p><p class="small-pad-paragraph"><strong>Fact #2:</strong> https://*.static.co.nz/ uses 1024-bit encryption.</p><p class="small-pad-paragraph"><strong>Fact #3:</strong> All active content loaded from these "insecure" static servers is integrity-checked by JavaScript code loaded from the "secure" static server, rendering manipulation of the static content or man-in-the-middle attacks ineffective. The only reason why HTTPS is supported/used at all is that most browsers don't like making HTTP connections from HTTPS pages. And, using more than 1024 bit would just waste a lot of extra CPU time on those static servers.</p><p class="small-pad-paragraph"><strong>Fact #4:</strong> This has been covered in our FAQ from the beginning.</p><p class="small-pad-paragraph">John Hopkins cryptographer professor Matthew Green says that Mega's claims of a Javascript verification system <span class="italic-quote"><span class="red">"</span> make no sense.<span class="red">"</span></span>... <span class="italic-quote"><span class="red">"</span> If the Javascript is verifying itself, it's like trying to pick yourself up by our bootstraps, which doesn't work<span class="red">"</span></span>, says Green. <span class="italic-quote"><span class="red">"</span> You need something trusted on the user's machine to check the Javascript, and they don't have that.<span class="red">"</span></span></p><p class="small-pad-paragraph">Please do not rely on hearsay, even if you are a cryptographer professor. Instead, go to the actual site and look at the actual code.</p><p class="small-pad-paragraph"><strong>Fact #1:</strong> The JavaScript is not verifying itself.</p><p class="small-pad-paragraph"><strong>Fact #2:</strong> A piece of JavaScript coming from a trusted, 2048-bit HTTPS server is verifying additional pieces of JavaScript coming from untrusted, HTTP/1024-bit HTTPS servers. This basically enables us to host the extremely integrity-sensitive static content on a large number of geographically diverse servers without worrying about security.</p><div class="blog-new-full-div2"></div><p class="small-pad-paragraph"><strong><span class="red">MegaCracker</span></strong> An excellent reminder not to use guessable/dictionary passwords, specifically not if your password also serves as the master encryption key to all files that you store on MEGA.</p>]]></content:encoded>
</item>
<item>
<title><![CDATA[Development roadmap]]></title>
<link>https://mega.co.nz/#blog_2</link>
<pubDate>Fri, 18 Jan 2013 14:06:11 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_2</guid>
<description><![CDATA[Time flies when building a website, and unfortunately, half of the launch feature list that we envisioned when we started implementing MEGA back in September has now]]></description>
<content:encoded><![CDATA[<p>Time flies when building a website, and unfortunately, half of the launch feature list that we envisioned when we started implementing MEGA back in September has now turned into a post-launch development roadmap. These are the essentials that we will work on next:</p><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/dev-app.png" class="blog-apps-icon"><div class="blog-browser-title"> Developer documentation enhancements:</div><div class="clear"></div><ul><li>Properly reformat and comment the JavaScript reference implementation so that it becomes more readable</li><li>Add missing command-specific documentation to the API reference</li></ul><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/arrows.png" class="blog-apps-icon"><div class="blog-browser-title"> File transfer queue enhancements:</div><div class="clear"></div><ul><li>Vertical resizing</li><li>Drag & Drop to modify transfer sequence</li><li>Multiselect</li><li>Clicking on a pending transfer navigates to/marks the source file or the target folder</li><li>Stop/continue buttons</li></ul><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/m-cloud.png" class="blog-apps-icon"><div class="blog-browser-title"> File manager enhancements:</div><div class="clear"></div><ul><li>Re-implement from scratch without underlying third-party UI framework for better performance</li><li>Adaptively eliminate the leftmost file path buttons at the top to maintain visibility of the upload and search buttons (we have a hack in place for this, but it only works in Chrome)</li><li>"Properties" option in the file context menu</li></ul><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/shared.png" class="blog-apps-icon"><div class="blog-browser-title"> Collaboration feature enhancements:</div><div class="clear"></div><ul><li>MEGA user-to-user messaging with file attachments, plus external RFC 4880/OpenPGP and S/MIME gateway for secure off-site e-mail communication</li><li>MEGA user-to-user instant messaging</li><li>Exported link enhancements</li><li>Allow for the creation of folder links (with associated crypto key) which then display the folder content live</li><li>Secure unauthenticated delivery web widget</li><li>Allow unauthenticated users to securely deliver files to MEGA users' inboxes, e.g. to submit very large files to print shops</li></ul><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/blank-doc.png" class="blog-apps-icon"><div class="blog-browser-title"> Filesystem enhancements:</div><div class="clear"></div><ul><li>Activate storing all block MACs on the server (encrypted) after an upload to allow for integrity-checked partial reading. Right now, the file has to be downloaded fully to be checked.</li><li>Enable forking encrypted time-stamped delta file support to allow for random writing to existing files with full rollback capability</li></ul><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/core.png" class="blog-apps-icon"><div class="blog-browser-title"> SDK enhancements</div><div class="clear"></div><ul><li>Complete the API documentation</li><li>Provide client libraries in various languages</li></ul><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/m-logo.png" class="blog-apps-icon"><div class="blog-browser-title"> Client applications</div><div class="clear"></div><ul><li>A Windows filesystem mount is currently in beta and will be available shortly</li><li>Linux/MacOS X filesystem mounts</li><li>Mobile access</li><li>Sync tools for all major platforms</li></ul><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/inegrated.png" class="blog-apps-icon"><div class="blog-browser-title"> Integrated on-site applications</div><div class="clear"></div><ul><li>Calendar</li><li>Word processing</li><li>Spreadsheet</li></ul><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/m-logo.png" class="blog-apps-icon"><div class="blog-browser-title"> MEGA as a local "appliance"</div><div class="clear"></div><ul><li>Load a third-party audited version of the MEGA JavaScript files from a machine that you control</li><li>Be immune against new bugs of any kind</li></ul>]]></content:encoded>
</item>
<item>
<title><![CDATA[A word on browsers]]></title>
<link>https://mega.co.nz/#blog_1</link>
<pubDate>Thu, 17 Jan 2013 21:49:09 -0300</pubDate>
<dc:creator>Admin</dc:creator>
<category><![CDATA[MEGA]]></category>
<guid isPermaLink="false">https://mega.co.nz/#blog_1</guid>
<description><![CDATA[MEGA pushes the browser to its limits, and these limits vary. While it does work with all major current browsers, there are some weighty feature and performance differences]]></description>
<content:encoded><![CDATA[<p>MEGA pushes the browser to its limits, and these limits vary. While it does work with all major current browsers, there are some weighty feature and performance differences:</p><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/chrome-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Google Chrome:</div><div class="clear"></div><p>The leading browser, by far. It implements the proposed HTML5 FileSystem API, allowing for fancy features such as recursive folder uploads and efficient downloads. Caveats: Requires user permission to batch-write files after a few unattended completed downloads (for security reasons, and only once per session). Slightly anaemic text rendering.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/ie10-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Internet Explorer 10:</div><div class="clear"></div><p>A solid, modern browser with blazing JavaScript performance (even exceeding Chrome's). However, until Microsoft fixes a memory leak in the Blob saving functionality, you have to close and reopen the MEGA tab every couple of hundred megabytes of inbound file transfer. And, until Microsoft implements disk-based Blobs or Chrome's FileWriter API, memory usage for a file download peaks at twice the file's size - hardly efficient.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/ff-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Mozilla Firefox 18: </div><div class="clear"></div><p>Carefully avoids providing any API that would allow writing files from JavaScript.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/safari-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Safari 6:</div><div class="clear"></div><p>No JavaScript file writing, either.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/ie9-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Internet Explorer 9:</div><div class="clear"></div><p>Lacks all essential features required for MEGA: File I/O, Web Workers, ArrayBuffers, and binary cross-domain HTTP access. Nice text rendering, though.</p><div class="blog-new-full-div"></div><img alt="" src="https://eu.static.mega.co.nz/images/mega/blogs/opera-logo.png" class="blog-browser-logo"><div class="blog-browser-title"> Opera:</div><div class="clear"></div><p>No JavaScript file writing and exceedingly slow JavaScript crypto operations.</p><div class="blog-new-full-div"></div><p class="conclusion">Conclusion: If you are planning on using MEGA frequently, there is currently no alternative to using the most advanced browser currently in existence - Google Chrome.</p>]]></content:encoded>
</item>
</channel>
</rss>