After Lavabit Shut-Down, Dotcom's Mega Promises Secure Mail 158
Lavabit may no longer be an option, but recent events have driven interest in email and other ways to communicate without exposing quite so much, quite so fast, to organizations like the NSA (and DEA, and other agencies). Kim Dotcom as usual enjoys filling the spotlight, when it comes to shuttling bits around in ways that don't please the U.S. government, and Dotcom's privacy-oriented Mega has disclosed plans to serve as an email provider with an emphasis on encryption. ZDNet features an interview with Mega's CEO Vikram Kumar about the complications of keeping email relatively secure; it's not so much the encryption itself, as keeping bits encrypted while still providing the kind of features that users have come to expect from modern webmail providers like Gmail:
"'The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side,' Kumar said. 'If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side. [That’s] not quite impossible but very, very hard. That’s why even Silent Circle didn’t go there.'"
Links? (Score:5, Informative)
Are those actual links, or just the <a> tags?
Re: (Score:2)
Just empty anchors.
Re:Links? (Score:5, Funny)
Just empty anchors.
The links in the story have been secured for your protection.
Re: (Score:1)
Drop them on the NSA's cables, and voila!
Re: (Score:1)
Re: (Score:3)
Timothy's razor: Never attribute to browser bugs that which is adequately explained by Slashdot "editors".
Re: (Score:2)
You cannot access the links because Dotcom's privacy policy has been applied to them and that does not allow you.
Article (Score:5, Informative)
http://torrentfreak.com/dotcoms-mega-debuts-spy-proof-messaging-this-summer-email-follows-130711/ [torrentfreak.com]
A link to an actual article.
Re: (Score:3)
If you go to https://silentcircle.com/ [silentcircle.com] they shut it down "preemptively".
Why oh why? Are there no hosters outside the US?
Also, if they (e.g. La
Re: (Score:2)
Having a service hosted in one country but with admins from another seems like the worst of both worlds since either the government of the country the admins reside in or the government of the country the servers reside in could attack things.
Re: (Score:2)
Well in all the controversy and even our learning in the Trust No One mentality, we are looking four someone to trust.
That tells you something about humanity. And the fact that encryption its not just a game means we must trust someone our our work from scratch will be cracked by the experts we were up against. I for one believe some source would be good but four all we know NSA could honeypot anything as fair game, and post backdoored code on the domains we currently still trust, especially Silent Circle (
The Universal Declaration of Human Rights (Score:5, Insightful)
http://www.un.org/en/documents/udhr/index.shtml#a12 [un.org]
Article 12. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Re: (Score:2)
"No one shall be subjected to arbitrary interference "
Nothing arbitrary about the mass surveilance. It's all quite deliberate and systematic. Your rights are well protected.
Re: (Score:2)
So what makes this declaration "Universal ?
Doesit apply on other planets or even all parts of this one?
Re: (Score:2)
When I hear as the president says that the US citizens are not being snooped upon, I always think: "And what about us, who did not happen to be US citizens." Are we a too easy target?
We are also protected by The Universal Declaration of Human Rights. The USA has signed it by the way, the same as China, Russia, and many other countries.
Re: (Score:2)
You are also "protected" by the US Constitution to the same degree. The Constitution talks about the rights of people, not of citizens. Unfortunately both documents are simply being treated as toilet paper by the people entrusted with their enforcement.
Re: (Score:2)
Articles 2, 3, 5, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 28, and 29 certainly do not apply to the USA.
Re: The Universal Declaration of Human Rights (Score:1)
All those numbers! You must be sending a coded message.
Re: (Score:2)
No worky (Score:2)
Check out the new Slashdot iPad app [apple.com]
Link (Score:3)
Go Kim! You Magnificent Slimy Bastard... (Score:2, Interesting)
I find this farcical, so the NSA is going to start playing whack-a-mole with a what will be in the near future, a plethora of alternative secure email providers. Ask the RIAA how well that works out.
AC.. because I can.
Will need better security than current (Score:5, Informative)
According to Security Now/Steve Gibson, the encryption/security on the MEGA file site is not very sound
https://www.grc.com/sn/sn-390.htm [grc.com] (search for "Java Crypto" to get about 3/4 way through the show) or listen to the podcast..
MEGA is well intentioned Im sure, but the Javascript code in MEGA does not cut it for serious security, and they need to dp waaay better for an email service.
Remember that ALL THE DATA is being retained now, so one crack in the system and there is a way in.
Air tight security is do-able, but needs to be serious - I wish Mega lots of luck.
Re: (Score:2)
search for "Java Crypto" to get about 3/4 way through the show
It's hard to tell if he's talking about Java or JavaScript -- he bounces between the two as if they're interchangeable, when they're not.
Re: (Score:2)
Does that tell you anything about him?
We require a new encryption scheme (Score:4, Interesting)
The problem is that private key, in server solution, are available on the server. Even in Mega, the private key is located server side and the password/passphrase is supplied by the end user over SSL. So, the weakpoints are SSL and the domestic machine, as well as an intercept placed on a server at Mega.
What we require is a private key that a person hold, on a smartcard type arrangement. From this we derive a personal certificate authority and a public key. We issue certificates through our personal CA for particular roles and upload them to our provider. This then acts as our transport encryption, digital signatures, email encryption and so forth. The private key never enters the network and everyone has a unique encrypted layer, rather than a common SSL certificate.
Decryption is performed by streaming the contents through the smartcard. We can add additional factors to this authentication such as biometrics, pin, etc. In fact, the user should be able to determine the amount of factors, their order, etc. The decrypted output can either be sent back into the machine (if you feel it is secure), or forwarded to a secure offline machine.
We only need to make sure that this forwarding eliminates the possibility of an exploit and that means a limited stack that only provides certain features. Such as text and/or video.
There is no reason that a standard mobile phone could not have two physical portions, one connected to the web and another for secure comms.
Re: (Score:2)
..so we don't actually need a new encryption scheme, just a system to make using what exists feasible in normal communications.
Re: (Score:2)
For webmail, what would be wrong with: encrypt/decrypt via client side javascript, private key is stored in html5 storage thing, and is encrypted via user's password. The server never sees the user's private key, nor their password (authentication with server can happen via public/private keys (e.g. have the client digitally sign username/request, server can verify the signature, no need for passwords on the server).
Re: (Score:3)
One word: search.
If you can figure out how to do server side search in a way that is reasonably efficient (storage and compute), does not require the server side to know the key, does not otherwise compromise the secrecy of the cipher text (user documents); I suspect you can make a great deal of money licensing your patent.
Re: (Score:1)
About search : maybe you can permit some parts (mail addresses ? some words ? tags ?) to be indexed on the client, in an encrypted form ? To what extent it will compromise the security of a message if you know some words in it ?
Anyway, a part of a security system is simply a good memory. The most you can remember (in your head only) the better.
Still, that's simplified, but things to think about.
Re: (Score:2)
For webmail, what would be wrong with: encrypt/decrypt via client side javascript,
The big problem is that the website can change the client side javascript that it sends to a version designed to send the key to the server. If the version designed to grab the key is only sent once per user and only to users of interest it is unlikely that users will notice this behaviour.
Humor (Score:2)
Searching on the client is hard? (Score:2)
Don't all email clients do this?
Are those people so infatuated with web applications that they don't realize true applications do everything on the client?
Re: (Score:2)
It seems so. I've talked to people that are shocked when I can get my email without internet access (alt-f2, "thunderbird")
Re: (Score:2)
Oh yes, they are completely infatuated with web apps.
The problem is, if you want to read mail on more than one platform - phone, tablet and PC - you need one or more of them to use a remote message store. Otherwise you can't see and search the mails received on one platform when you're on the other. Unless you sync all mails between devices, which is going to cost you in battery lifetime and possibly in mobile data bills.
Also, you don't really want to search email on a phone: That would be slow and run down
Re: (Score:2)
Both POP3 and IMAP are protocols to access a remote message store.
IMAP has more advanced features, like keeping track of what has been read and what hasn't.
This is nothing compared to the average consumption of a smartphone like what the Facebook application requires.
Re: (Score:2)
Who in his right mind would do Webmail on a phone/tablet? Also what does the used application protocol have to do with security? Wether you send unencrypted IMAP/SMPT or unencrypted HTTP doesn't make any difference. Also if your email is on some harddrive anywhere and it is unencrypted or somebody you can't
Re: (Score:2)
There is also the PUSH variant of IMAP that doesn't even require to check at all.
Eliminate mail servers (Score:3, Interesting)
The problem is that email is managed from a central location.
If email clients opereated as fully encrypted standalone, "peer to peer" entities, the central mail server would be eliminated, and snoops would only be able to grab the encrypted content, and perhaps the locations of sender and receiver.
Chasing the wrong target. (Score:5, Insightful)
I've said it before and I'll say it again, this concentration on encryption is fiddling while the house burns. Encryption is sexy, and easy, and kewl, and l33t... but it won't protect against the real threat - traffic analysis.
Re: (Score:2)
Re: (Score:2)
Sometimes it's more important who you know and not what you know.
Re: (Score:2)
Sometimes it's more important who you know and not what you know.
Not only this, but there's also, in theory, a greater threat between the combination of the two. Suppose I have three friends, Alice, Bob, and Carol. I send cleartext e-mails to Alice and Bob, but Carol gets encrypted messages, then those who are sniffing the traffic can discern the following information:
1.) I know Alice, Bob, and Carol.
2.) Since Alice and Bob get standard e-mails, I'm selectively encrypting my messages.
3.) I'm selectively encrypting messages to Carol, and Carol is selectively encrypting me
Re: (Score:2)
If you are trying to disrupt a terror cell, yes. If you are looking for dirt to stop the "wrong" guy from wining an election less so.
Re: (Score:1)
Because if they can't directly read your e-mails, traffic analysis will be used to determine who you're talking to, what you're using to talk to them with, any number of bits of information that could identify one party or the other in a secure conversation. Once they have their hands on someone who holds a key, all they need to do is employ some "enhanced interrogation techniques" freshly passed as totally-not-torture by Bush and Obama.
Traffic analysis isn't just a fall-back plan, it's just as powerful a w
Re: (Score:2)
Traffic analysis can be easily foiled by data poisoning. For each valid e-mail, generated 10,000 fake e-mails that are sent at random (or some other criteria).
After the receiver decrypts the messages, the fake e-mails will say they are fake and the client discards it. Add in some forwards too to make the problem harder.
Getting a list of e-mail addresses to send to is the problem. But, can be done with a client side solution.
So, even if the server is compromised, there is still possibility of secure e-
Agencies becoming monsters (Score:1)
The amazing thing to me is that using any of these encrypted mail services will automatically flag you as a suspect for the NSA. Just like when detect patterns used by Tor and store all of the traffic in a special place.
How long until the FBI and NSA keep files on everyone that they can identify using these services? Like a new era of McCarthyism but instead of a public trial you have a secret trial where the government has all of the cards. This is essentially what the guy Aaron Swartz and the Lavabit g
Archive.org (Score:1)
We have secure mail now (Score:2)
Just use mail on FreeNet,
Sure, FreeNet, which would be the more secure option we have currently, doesn't have any outside gateways, but if you are concerned about security, you don't want one anyway.
Re: (Score:2)
Your solution is definitely the most sound technique of everything I have read so far on how to deal with this issue. So I guess you can establish a Darknet with your friends and family and some sort of encrypted e-mail using regular Thunderbird, and keep plain text e-mail for initial contact only. For business mail this would be tough though, and I guess you can set up a ticket support system to get in touch with your customers instead, but as dealing with providers and such, plain text e-mail will have to
You can use Gmail + Penango! (Score:3, Informative)
The matter of protecting your e-mail is a simple one - there are standards (S/MIME). What you need to look in a provider is:
(1) They SHOULD NEVER have copies of your private keys
(2) They should follow published standards
(3) Allow S/MIME e-mails
For example, if you want to use your Gmail account with military-grade security that neither NSA can read, just install Penango in your browser and send messages encrypted - this solution is also used by US military and corporations. Penango does not hold any of your private information and/or your keys - so they can not be forced by anybody to give out your secret.. simply because they do not have it!!!! For more info, go to http://www.penango.com/
Re: (Score:2)
For example, if you want to use your Gmail account with military-grade security that neither NSA can read, just install Penango in your browser and send messages encrypted - this solution is also used by US military and corporations. Penango does not hold any of your private information and/or your keys - so they can not be forced by anybody to give out your secret.. simply because they do not have it!!!! For more info, go to http://www.penango.com/ [penango.com]
Except that penango is not really compatible with any current browser releases except Internet Explorer. Firefox is supported, but only up to version 20. The current release is version 23.
It's a plot (Score:2)
Look at it this way: everyone's all "we gotta have email encryption" and we've completely lost interest in "OMG 99% of all email is spam and we can't get rid of it." It's the NSA's way of encouraging Internet Businesses.
(please please PLEASE don't make me bring out the whoosh or sarcasm tags m'kay?)
Privacy in 2 years (Score:5, Insightful)
This whole thing about privacy will be a non-issue in about 2 years.
There's currently a mass-exodus away from US-based cloud services, and (within the US) away from all cloud services.
Cloud services will have to provide privacy or go out of business. The only way to ensure privacy is client-based encryption keys and open-source software. Since it's impossible to control the distribution of open-source software, the client-side package will end up being free.
This is a good thing, IMHO. Cloud services will focus on the actual service, they won't be able to rummage around in our lives (both corporate and personal), they won't be able to "monetize" their customers as products to advertisers, and the NSA will be shut out of much illegal snooping.
People are already thinking about how to encrypt existing web-based mail services, and I'm even hearing rumors about replacing SMTP altogether with a more secure protocol.
Expect a lot of wailing and gnashing-of-teeth from the government, proposals to make this or that protocol "illegal" or to require government backdoor access, but in the end it will come down to simple economics.
There is an enormous market-driven push towards more privacy. Edward Snowden has had a measurable effect on the world, and probably deserves the Nobel peace prize he was nominated for.
Re: (Score:3)
I'm even hearing rumors about replacing SMTP altogether with a more secure protocol.
There have been "rumors" and "proposals" to replace SMTP for almost a decade. It'll never happen. SMTP will die slowly, the same way NNTP is slowly dying. And that will only happen when there's a way to communicate that surpasses it. Web discussion boards basically killed NNTP. I don't think there's anything out there yet to kill SMTP.
Also, encrypting your mail misses the point. Groups like the NSA can still do traffic analysis on the SMTP envelope to know who you're talking with even without reading the co
Re: (Score:2)
There have been "rumors" and "proposals" to replace SMTP for almost a decade. It'll never happen...
Um... there is now an enormous economic incentive to do this.
Are you saying that the current situation is exactly like it was in the last decade?
Re: (Score:2)
Spam was and still is an enormous economic incentive to replace SMTP....and yet, after a decade of avalanches of spam, we haven't replaced SMTP with something that addresses any of the aspects of SMTP that permit spam to happen. This situation isn't even on the same order of magnitude of economic burden as spam is every single day. So, yes, the current situation *economically* is exactly like it was the last decade: we're paying for the design decisions of SMTP, and will continue to do so until something sh
Re: (Score:2)
Expect a lot of wailing and gnashing-of-teeth from the government, proposals to make this or that protocol "illegal" or to require government backdoor access...
There was a classic example of "Think of the terrorists" FUD in NZ last week. The PM of New Zealand, who's cramming his legalized-spying-on-your-own-citizens bill through parliament at the moment, last week trotted out some "facts" about how the NZ government is "monitoring" several NZ residents with ties to Al Queda, several of which are in Yemen attending "training camps" at the moment.
If that's true, then isn't letting these people know you're watching them a bit of a silly idea? And anyhow, it still doe
As always, it's a matter of trust (Score:2)
When you rely on a third party for security, you are placing an enormous amount of trust in them. You're trusting that they have not installed backdoors, that they do not copy your encryption keys and that they really are doing all the things they say they are. There are also external factors that may be beyond their control, like government demands, as we saw with Lavabit.
Now, if Mega is going to do something like build plugins, extensions or local proxies for popular web and local mail clients that make
Goddammit, why can't people learn? (Score:3, Informative)
If you want secure email, don't put it in the cloud. People who try to set up new cloud services to get attacked aren't helping, and can't deliver on what they want to make people believe they can.
It's not hard to set up a mail server. It's not hard to use PGP. Be at least a little harder target.
Just say no to the goddamn cloud, already.
Why not let user give permission to decrypt mail? (Score:1)
'If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side. [That’s] not quite impossible but very, very hard."
Why not let user the compromise on security in order to search, etc., by giving the server permission to decrypt for N minutes or seconds? Then client software sends the key, Mega promises to destroy the key and the unencrypted text at the allowed time. Standard legal advice in advance explains the resu
Re: (Score:2)
publicity stunt (Score:2)
Kim Dotcom as usual enjoys filling the spotlight,
you can put a period there, that's all there is to say about it.
If you trust an e-mail service run by Kim, you are a stupid idiot. The guy ratted out people to the authorities before, when it served him.
One thing is right about this idea, though: If you want a secure e-mail provider, it absolutely has to be located outside the USA. Nothing on US grounds can be considered secure anymore.
Needs (Score:2)
Truly anonymous email needs to be both encrypted and efficiently hide communication patterns.
If the system is based on a central server that maps addresses and you have the ability to listen to inbound and outbound mail you can fairly easy generate a map that will link real and anonymous email addresses if the system runs in real time. Mails to be relayed should be delayed a random time and sent out in random sized pools. That would hide the link.
An alternative would be a private bulletin board system where
Re: (Score:1)
An alternative would be a private bulletin board system where no messages ever leave the server and both sender and recipient must log in to send or receive mail. It will also hide the patterns provided the database is completely encrypted, including relations.
You're quite correct, and THIS (the BB system) is the method professional agents use the most.
No professional spies here, I gather.. (Score:1)
Re:New Plan (Score:4, Funny)
The latency is really bad, but at least your information will be secure!
Heh heh, secure. Heh.
Re: (Score:3)
Actually, there's a product in there.
Envelopes for the paranoid. Made of extra-thick paper, with an aluminium foil lining. Each pack comes with very, very thin stickers bearing a pack-unique printing that can be placed over the seal, making it impossible to open the envelope without tearing.
Re: (Score:2)
Or you could go to DEFCON and learn how to remove tamper seals without leaving traces. :)
I DO suspect there's a product in there, but it's a lot more complex than that
Re: (Score:2)
Oh, it doesn't have to actually work. So long as the suckers believe it will work, and will fork over money for it. Because really, the government isn't going to care what the typical conspiracy-theorist paranoid is writing to his friends about.
Re: (Score:2)
typical conspiracy-theorist paranoid
friends
There's a fatal flaw in your thinking right there...
Re:New Plan (Score:4, Informative)
Not at all.
1. Press soft clay up to the seal to get an impression..
2. Open envelope, read, close.
3. Fire clay. Smooth it down a little carefully.
4. Melt wax, apply clay stamp.
Re: (Score:2)
Cut off the seal with a hot knife. When you're done violating someone's confidentiality, stick it back on.
Re: (Score:2)
This only works if the recipient knows you are sending it in your special high security envelop. If not dear old Uncle Sam can open the letter read it, and put it back in a regular secure envelope to send on to the recipient.
Re: (Score:2, Funny)
Re: (Score:2)
PGP encrypted snail mail, then.
Actually, it is (Score:2)
Re: (Score:2)
Paper mail is not opened or scanned unless there is an actual warrant.
That's what they said about email.
Yes, they will "log" your mail and possibly take a picture of the envelope,
Yes, they will log your mail, including a picture of the envelope. If you don't know that they're taking pictures of all the envelopes, you don't know how the mail system works. If you think they're throwing that data away, you're a fool. If you tell people that they are throwing that data away in spite of the evidence to the contrary, you're a useful idiot.
As far as drag net "security" from the NSA and such, paper mail is more or less left alone. You can still encrypt the contents and sign it with a private key. Even if they open up the envelope, they won't be able to decrypt if they don't have the key and your encryption is sound.
Right, but now you either have to manually decrypt or you have to OCR. What a PITA. One of the great things about digi
Re: (Score:1)
How does searching work for this kind of tranport/storage?
Re: (Score:2)
How does searching work for this kind of tranport/storage?
If you have a bevy of beautiful, friendly, young scantily-clad Polynesian girls that you can sit and watch go through the envelopes searching, who cares how long a search takes?
Now *that's* what I call an upgraded mail service!
Strat
Re: New Plan (Score:2, Interesting)
I think you need a new new plan
http://news.yahoo.com/ap-interview-usps-takes-photos-mail-072949079.html
Re: (Score:2)
I think you need a new new plan
http://news.yahoo.com/ap-interview-usps-takes-photos-mail-072949079.html
(selectively) Quoting the article:
...the photos of the exterior of mail pieces are used primarily for the sorting process..
See, that's just _metadata_. No worries.
Re: (Score:3)
http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html?pagewanted=all&_r=0 [nytimes.com]
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Old Plan (Score:2)
By court order your mail can be opened and read. It can also be read after opening when you get hit with a search warrant.
Re: (Score:1)
What do you mean secure?
USPS scans the front and back of every envelope that goes through their processing centers. They then use these images and OCR to create the same metadata they are capturing on phone records.
Re:New Plan (Score:4, Interesting)
Only the outside of the envelope. They can't see contents unless they open the envelope, which requires a warrant. They can't retroactively open your letter once it has been delivered. If you want to encrypt the contents, you can do that too, but you can't encrypt the routing information.
With encrypted email, the header is unencrypted because it's needed for routing, so the government can record every entire message that passes through a cooperating server. With encrypted email, you could copy every message that passes through a server and decide later which ones you want to try and decrypt.
If you want to add real anonymity, you can use anonymous email accounts. But that's thin security. A government really interested in who's getting and sending anonymous emails can figure it out by tracing packet routing.
For harder-to-crack anonymity, you can upload encrypted files anonymously to a server and download all the messages periodically. Whichever ones you can decrypt with your keys are addressed to you. It's very inefficient, but there's no way to figure out who got your messages without either seizing your computer or hacking it. They can still identify who sent it and what set or receivers might have gotten it by tracing packets.
Re: (Score:1)
Thing is, they aren't too interested in the contents of the envelope at all, at least until you're a person of interest. What they really want is use all that juicy metadata (outside of the envelope, i.e. headers) to establish ties between everyone.
Re: (Score:3)
Re: (Score:1)
Well, some people, and by some people I mean the people who have been pushing the panic button for the last decade, say the spooks are routinely looking out for up to three degrees of separation. Three sounds like an entirely plausible optimal number.
There was a relevant facebook study about the small world theory a couple years ago, and IIRC, the average distance between any two people (globally) on the network was 4.6 or some such. Of course, you have the people who have to friend anyone and everything ev
Re: (Score:2)
you can upload encrypted files anonymously to a server and download all the messages periodically. Whichever ones you can decrypt with your keys are addressed to you. It's very inefficient, but there's no way to figure out who got your messages without either seizing your computer or hacking it..
I like this idea, and think it can be made plenty efficient by decreasing the number of recipients that "share" a given inbox -- say 1000 users or so.
Yes, please secure email me at 3013@mailinator.com using my public key.
Re: New Plan (Score:2)
Re: (Score:2)
Going Galt then are we?
I symphathize and have thought much the same myself.
But I recommend you think first before adding one unwise decision on top of another.
A restaurant is one of the most common business to fail, and that's in a good economy. It's hard work to boot.
Plus now you have to deal with increasing taxes, Obamacare and on top of that you get to be on the top of the list of IRS targets.
http://rt.com/usa/irs-taxes-small-business-898/
Good luck. Maybe they'll let us bunk together at the re-educatio
Re: (Score:2, Flamebait)
A restaurant is one of the most common business to fail, and that's in a good economy. It's hard work to boot.
Plus now you have to deal with increasing taxes, Obamacare and on top of that you get to be on the top of the list of IRS targets.
http://rt.com/usa/irs-taxes-small-business-898/
>
Yeah, an industry-wide pattern of underreporting wages and tips will do that to you.
Re: (Score:2)
No but I bet the US feds would love to see all those involved with mega sent to Guantanamo Bay :)
Re:Warning (Score:4, Interesting)
Step 1: Kim Dotcom starts Mega Crypto, which is promptly adopted by the world's political dissidents and leakers.
Step 2: All pending government litigation against Mega suspiciously disappears and his assets are unfrozen.
The guy's accustomed to his ill-gotten gains -- even setting aside the rampant piracy of Megaupload, he's a convicted fraudster and embezzler, and has bribed public officials for protection before.
I suspect that if offered the choice between losing his $20 million house, his 12 cars, his yacht, and becoming a partner of the US government, it wouldn't take him much to crack.
Re: (Score:2)
Step 1: Kim Dotcom starts Mega Crypto, which is promptly adopted by the world's political dissidents and leakers.
Step 2: All pending government litigation against Mega suspiciously disappears and his assets are unfrozen.
The guy's accustomed to his ill-gotten gains -- even setting aside the rampant piracy of Megaupload, he's a convicted fraudster and embezzler, and has bribed public officials for protection before.
I suspect that if offered the choice between losing his $20 million house, his 12 cars, his yacht, and becoming a partner of the US government, it wouldn't take him much to crack.
He also made a name for himself in Germany for selling out phreakers to the feds when he got cornered. The man is an unstrustworthy megalomaniac.
Re: (Score:2)
I like this..
Obviously use something better then md5, and salt it with something generated from the private key and create a b-tree with message ids. This could likely be stored and searched server side with very little risk.
Otherwise actually have a clear text b-tree in client memory, update it locally, and send it encrypted to the server. Might take more bandwidth but it would just be an index.