Risk
1/31/2013
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Mega Repeat: Search Engine Mimics Dotcom's MegaUpload

Crowdsourced MegaSearch site indexes all files on Mega, allowing users to share uploaded, encrypted content.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
There's a new file-sharing game in town: Mega-Search.me. But unlike dedicated file-sharing sites, this one is just a search engine designed for people to submit links to content that they've already uploaded to the file-storage site Mega.

In other words, thanks to an apparent crowdsourcing twist, the combination of Mega and Mega-Search.me enables people upload, share, or retrieve any file -- just as they did with the disgraced Megaupload. "Already more than 2000 links," claimed a tweet from Mega-Search last week.

Although files uploaded to Mega are encrypted, the decryption key is included in the link to the file that's generated for users. Thus any file URL that's publicly disclosed can be used by anyone else to download and decrypt the stored file. A file-sharing feature is notably absent in the official Mega site, which offers 50GB of cloud storage for free, as well as premium accounts offering more.

[ Read more about the new Mega site: 'Mega' Insecure: Kim Dotcom Defends Rebooted Megaupload Security. ]

Mega launched at 6:48 a.m. New Zealand time on Jan. 20, 2013 -- the precise anniversary of New Zealand police and FBI agents' raid last year of Megaupload founder Kim Dotcom's home and shutdown of all Megaupload servers in the United States.

The Department of Justice have accused Dotcom and three other key company officials of using Megaupload to illegally generate $175 million in profits, while causing $500 million in damage to copyright holders, by condoning and supporting illegal file sharing, in part by ignoring numerous takedown requests. Prosecutors are continuing to seek the four men's extradition from New Zealand to the United States to stand trial. All four men have said they're innocent, and fought the extradition request.

The launch of Mega was meant to signal Dotcom's "cloud storage" second coming, and this time on a more clear legal footing. Indeed, given the FBI's takedown of his previous site, this one appeared to be designed by the company's lawyers to protect the executives from any accusations that they were promoting the illegal sharing of files. Instead, the new service has been pitched as a competitor to Dropbox, Google Drive, and Microsoft SkyDrive, but with added security features. In particular, Mega promised to encrypt all files.

The service also stipulated that only a user who uploaded a file would be allowed to download it. As Mega's terms of service state: "If you allow others to access your data (e.g. by, amongst other things, giving them a link to, and a key to decrypt, that data) ... you are responsible for their actions and omissions while they are using the website and services and you agree to fully indemnify us for any claim, loss, damage, fine, costs (including our legal fees) and other liability if they breach any of these terms."

Last week, Mega -- and Megaupload -- attorney Ira P. Rothken said that in Mega's first 11 days, it had already responded to 150 takedown requests, comprising 250 files, reported Computerworld. Those takedown requests had come from the United States, among other countries. "Mega doesn't want folks to use its cloud storage services for infringing purposes," Rothken said.

Mega-Search.me would seem to make short work of any restrictions on file sharing. But who runs the service? That's not clear. The site uses the top-level domain for Republic of Montenegro (.me), and was registered about 24 hours after the launch of Mega, but the domain's administrator has been hidden using a domain privacy service based in Denver, Colo., which lists an email at that service as a contact point for the site. The site's owner didn't immediately respond to an email asking if the site was funded or supported in any way by Mega.

Posts made by the site's owner -- or owners -- to Twitter and Facebook this week, however, suggest that Mega-Search.me is an independent venture, and faltering. Notably, the Facebook page for Mega-Search.me reported Thursday morning that "MEGA just deleted all our links without checking their contents." The search engine's administrator posted that he suspected that Mega had begun using a tool to automatically identify all links submitted to the search engine, and then delete the related files from the Mega site.

Another post suggested a possible next step for the search engine. "We are searching for some help with the mega API [written in] PHP. In particular, the decryption part," read one Facebook post (translated from French). In other words, instead of the search engine relying on users to submit files they've submitted to Mega, the site could forcibly index every file on Mega itself.

Needed: One PHP coder with a bent for file sharing.

InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our 2013 Global CIO Survey now. Survey ends Feb. 8.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web