---

https://mega.co.nz/#blog_4


MEGA's first week - a retrospective
一月 27, 2013

It's been seven busy days for us since MEGA went live. As millions of users
were hitting 50,000 freshly written and barely tested lines of code and
dozens of newly installed servers, teething troubles were inevitable - it
took us almost 72 hours to resolve the major bottlenecks, and we would like
to apologize to all users who were affected.



As expected, the public debate about MEGA revolves primarily around our
cryptographic security model and can be classified into five categories:

        如同預期，有關MEGA的公開辯論基本上都環繞在密碼安全模型上，並可分為
        以下五類：(以下五點皆與密碼安全模型有關 略過)

Actual bugs. Two (an XSS hole and the invalid use of CBC-MAC as a secure
hash) were reported by the community so far and fixed swiftly. To all the
bright minds going through our amorphous code: Thank you for your efforts! We
will make our JavaScript more readable and launch a bug bounty program
shortly.

Design flaws exacerbating the potential impact of weak user passwords. We
acknowledge that our current approach is based on the assumption that all of
our users choose strong passwords, which is probably a bit naive. We are
going to improve the sign-up interface (better user education and rejection
of overly weak passwords). We'll also reduce the offline password cracking
risk for users who do use weak passwords and fall victim to someone
intercepting their e-mail or obtaining their user record from our central
database.

Weak random number generation: We have added WebKit's
crypto.getRandomValues() into the mix and will collect mouse/keyboard timing
entropy explicitly before generating the RSA key pair rather than informing
the user that we are doing so only after the generation has already started.

Deduplication - clause 8 of our Terms of Service has caused some confusion
and concern. The reality is quite harmless: We deduplicate based on the full
encrypted file. That's it.

Polemic in the "if you can break SSL, you can break MEGA" category. No
comment.

Other issues:

        其他議題:

Within hours after the launch, Hotmail started blackholing our e-mails
(silently discarding potential ham is actually quite a rude thing to do!).
Apparently, our sudden surge of activity triggered some heuristics designed
to guard against spam botnets. Please do not use a Hotmail address to sign up
while we're working with them unblock our IP range.

     1. 復活後內的好幾小時內，Hotmail過濾掉了我們的e-mail(blackhole)。顯然，
        我們突如其來的活耀浪潮啟動了某些自動防堵垃圾郵件機制。請暫時別用
        Hotmail註冊，而我們會繼續和他們聯繫，希望能將我們的IP解鎖。

Uploads would sometimes restart from scratch in case of intermittent network
issues. This has been fixed.

     2. 本來上傳有時會因為網路問題導致重新開始。現在已經修正了。

We would also like to thank everybody who submitted suggestions and feature
requests. Our to-do list is growing!


---
先前有遇到這兩個問題的網友可以再試試看 是不是解決了

--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 1.162.201.56

--