Don’t call it a comeback: Megaupload goes legit

You gotta hand it to Kim Dotcom, aka Kim Schmitz, the German-born posterboy for copyright scofflaws. When the 6-foot-7-inch, 350-pound-plus Dotcom does something, he does it big. This week’s launch of Mega, a new “privacy” service that promises 50GB of free online storage so secure even the spooks can’t get to it, is no exception.

Mega is the successor to Megaupload, the wildly popular digital locker that got locked down by the federales in a coordinated online/real-world raid exactly one year ago. Megaupload was allegedly a haven for movie thieves, allowing them to store and swap pirated films by the thousands. Unfortunately, thousands of perfectly legitimate Megaupload users also got locked out, losing access to the files they had uploaded. Today, a year after the lockdown, they still can’t get to their stuff.

[ Cash in on your IT stories! Send your IT tales to offtherecord@infoworld.com. If we publish it, we’ll keep you anonymous and send you a $50 American Express gift cheque. | For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld’s Tech Watch blog. ]

On Sunday, Dotcom officially opened Mega for business, complete with an over-the-top extravaganza featuring a mock FBI helicopter raid. So far, though, Mega mostly looks like a megafail. Not that it’s lacking in popularity — according to Dotcom, more than a million people signed up on the first day alone. That’s part of the problem.

It took me more than a day to get the site to load in my browser, another two days to actually register. After a few dozen failed attempts I am now currently uploading an hour-long legally purchased movie at modemlike speeds. I created a second account to see if I could swap files between them. That one worked — for a day. Now Mega is telling me I have the wrong log-in info (I don’t). If you lose your log-in, guess what? You lose access to everything. There’s no way to recover or change your password, though Mega’s minions say that’s coming.

Dotcom has acknowledged the screwups via a series of tweets.

Naturally, there’s rampant speculation Mega’s problems are due to a DDoS attack launched by operatives of the MPAA and the feds, or that some offshoot of Anonymous has taken a dislike to Dotcom and is gumming up the works. I suspect the cause is more basic: Dotcom failed to anticipate the interest he’d managed to stir up. You’d think a guy who’s made tens of millions of dollars selling bandwidth and storage would think to have enough bandwidth and storage to go around.

That’s far from the worst of Mega’s problems. The service has already come under fire from a number of security experts who question how serious Dotcom really is about providing seamless encryption, noting a number of flaws that could allow a third party (say, a three-letter federal agency) to take over and change encryption keys on users. Others have noted cross-site scripting vulnerabilities on the Mega site and shoddy code in the open source encryption software Mega is using.

Forbes’ Andy Greenblatt quotes one skeptical crypto geek:

“It’s a nice website, but when it comes to cryptography they seem to have no experience,” says Nadim Kobeissi, a 22-year old cryptographer and creator of the secure chat software Cryptocat, who began poring over the public portions Mega’s code as soon as it debuted over the weekend. “Quite frankly it felt like I had coded this in 2011 while drunk.”

The battle over music piracy is over, and the music industry lost. The movie industry is determined to not go down quite so easily and ineptly — hence the over-the-top commando assault on Dotcom’s New Zealand compound last January. Somebody with a lot of juice is trying to take Dotcom down; Mega is his response.

But is the idea really to provide secure storage that’s untouchable by Johnny Law? Or is Mega really just a “see no copyright violations, hear no copyright violations” cover-his-sizable-assets clone of Megaupload? Going from the business of piracy to privacy is easy — just change a few letters. Actually pulling it off is much harder.

You have to believe some of the millions of Mega registrants are employees of government agencies or the MPAA’s private investigators. I’d bet serious money on that. Then all you need to do to bring Mega down is start seeding the service with agents, upload a few illicit files as bait, and entrap people to share with you. Another round of warrants, another series of dramatically staged arrests, and we’re back where we started.

Even if that doesn’t happen, the copyright cops want you to think it might. That would also explain why our government refuses to release files to people it knows didn’t break any copyright laws. By punishing legit users of Dotcom’s enterprises, they hope to frighten the nonpirates away.

If you’ve joined Mega to run your digital piracy business and Johnny.brylcream@NotTheFBI.com suddenly wants to swap contact details, don’t say I didn’t warn you.

Are you planning to give Mega a try? Why or why not? Share your thoughts below or email me: cringe@infoworld.com.

This article, “Don’t call it a comeback: Megaupload goes legit,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter.