This is just another example where I don't understand why people are so critical toward someone who try to build something. Are there any flaws? probably, but who would honestly expect such massive code base wouldn't have any flaw? but does that fatally undermine what he's trying to achieve? I don't think so.
But i'm going to tell you why he has no good press, because he has no crypto creds, there are plenty of experts who think that you don't have the right to write any crypto code if you don't have the appropriate creds and are very vocals when any attempt is made by someone not of their kind, some of them even behave like bullies. I say don't listen to them, write some crypto code, make some mistakes, learn from them and correct them.
There's a big difference between writing your own code just to learn how AES works and writing code and then saying "we will protect your privacy using this code". The reason experts discourage people from writing crypto code is because it's Hard; even the experts get it wrong. Even if you ignore all the weaknesses you can create by using bad keys, there are still simple mistakes that will ruin you system. For RSA you need to make sure your key generation isn't subject to Pollard's p-1, Pollard's rho, William's p+1, Fermat factorization, Wiener's attack, and others. And then once you do that, if you pad incorrectly the whole thing gets blown up anyway.
This isn't someones little toy app, this is a professionally done, "we will protect your privacy" service with the government already breathing down their neck. The sloppiness they are showing in their crypto (or at least in their presentation of the crypto) is just unacceptable.
You can write crypto code and not rewrite all the primitives, I certainly think that any good software engineer could write his own implementation of operations on GF(2^n) but if it's a good software engineer he will also prefer to pick the right primitives, use the right libraries and write the right crypto glue code. It's not all or nothing. You can be a professional software engineer and write crypto code.
Please do not ship crypto software or, especially, crypto protocols (e.g. Alice does this, then Bob does that) that haven't been publicly audited. It's an unnecessary liability to your company, your customers, and the public when there are alternative solutions that do not have the flaws that a) you think that you don't have but do, or b) don't know that you have.
This is really not an area for hotshot lone developers to contribute to, the stakes are just too high.
People hear "don't roll your own crypto", and think that it means "don't invent your own encryption algorithm". Really it should be reprhased, "don't ever touch crypto directly".
I understand, I Must Not Write Crypto Code™. However I choose to write whatever I want anyway, crypto experts must not be the only ones writing crypto flaws, so can i.
I don't care what you write, but if you go into it thinking that the dangerous stuff is in the primitives like the AES core, and if you just stick to the glue you'll be safe, you're gonna have a bad time.
if the crypto implementation is this poorly thought-out, you can only imagine how shaky the rest of the backend code is.
it would not surprise me if the service is shutdown again somehow. i would guess they would lean on the banks of CC companies that process his CCs first.
These guys have tried really hard to do something complicated nobody has really done before. Sure, it has a few bugs and isn't 'perfect'. Neither was the space shuttle, neither was the HTML 1.0 spec. Nothing ever is.
It's currently in style to put down tall poppies and complain about everything and anything, even when it's free and you don't even have to use it if you don't want to.
A community like Hacker News should be praising people trying to get off the beaten path. Sure, constructive criticism is good, but flat complaining "It's just unacceptable" is complete nonsense and a waste of everyone's time.
Don't worry I knew that this rant would be controversial, I have few sparred karma points to handle it, it's worth it, anybody should be able to freely express what he thinks.
if by "cut down tall poppies" you mean bring mega's claims of security and privacy in-line with reality, sure.
there are plenty of people doing more interesting work with encrypted data storage. to suggest that mega is blazing a new trail is absurd. backblaze has been using a similar key-per-file encryption method since 2007, except they actually executed properly.
Crypto is not like other features of a web application. With most other features, it can be mostly working and have a few bugs, but still be useful and functional. Bugs can be ironed out over the course of time.
Crypto is in a very real sense all-or-nothing. You either get it right, or you get it wrong. There is no inbetween. Given a weakness, the best attacks almost inevitably drop from requiring O(2^keylen) operations to something along the lines of O(messagelen) operations.
Worse, it is often very difficult to dig yourself out from a deep cryptographic hole that you've gotten yourself into. If you've done it right, you won't be able to do things like rehash user passwords without the user actually supplying his/her password. You won't be able to reencrypt data with new algorithms until the user supplies his/her key. And if you haven't thought ahead and added proper metadata to identify the algorithms and encodings you've used, your migration to any new architecture is going to be a massive pain in the ass. And even in the best case scenario, you will never be able to "upgrade-in-place" the algorithms and approaches you've used for users who've gone dormant. Worse again, if anyone has already gained access to encrypted data before you began the process of upgrading, they have literally an indefinite period of time with which to attack it.
Bad cryptography almost always implies a lack of people with a real cryptographic background. And that implies that at least one of: they don't value security as much as you think they do, or they actually think they know what they're doing and are utterly mistaken. Neither of which bodes well for real long-term solutions, and hints to an endless game of exploit whack-a-mole.
Everything I've read about the cryptography used in Mega leads me to believe it was implemented by well-intentioned amateurs who have tragically fallen victim to the Dunning-Kruger effect. Their use of cryptography amounts to little more than advanced cryptographic voodoo — their approach is to cryptography what Deepak Chopra's approach is to quantum mechanics. It's little more than advanced cryptographic voodoo. I'll note also that they seem to be taking the exact stance you seem to be advocating: just writing glue around a sound cryptographic core. Except their glue code is pitifully insecure, combines primitives in nonstandard or cryptographically unsound ways, and uses primitives for operations they were never intended for and aren't suited for.
But i'm going to tell you why he has no good press, because he has no crypto creds, there are plenty of experts who think that you don't have the right to write any crypto code if you don't have the appropriate creds and are very vocals when any attempt is made by someone not of their kind, some of them even behave like bullies. I say don't listen to them, write some crypto code, make some mistakes, learn from them and correct them.