Sorry, I'm too tired to continue this bullshit conversation in a different tone, so here's a somewhat angry rant.
EGreg said "provably not able to access your information", which means that there's a proof of some kind. What the fuck does "prove it to yourself" in your comment mean? That I'm now responsible for writing the security proof? That you acknowledge that no such proof exists, but I can write it myself?
Oh, you probably didn't mean "prove", you meant "ensure", as in I can ensure that the traffic between Mega and my browser is encrypted. What does this say about security? Absolutely fucking nothing!
It's a known fact that Mega is NOT secure. Even if you store your key locally, and they don't know it today, they can do the fuck they want with their web pages: next time you login, they can send you a piece of JavaScript to decrypt everything, or read your key, or... just do anything! If you're looking for an example, this happened with HushMail (http://en.wikipedia.org/wiki/Hushmail).
Anyway, I didn't really mean to ask for a proof, because I know that there's no security proof that "Mega, LastPass and others" are not able to access my information, I was looking for a way to encourage EGreg to do some research and declare that he was wrong, because his claims are fucking dangerous. I certainly didn't expect replies like yours.
Lastpass does encryption client side. The difference is that would require an active attack (pushing new code in an update) with a chance of being spotted by a reverse engineering attempt.
Who says that the backdoor hasn't been shipped since the first release and just sits there idle waiting for a nudge from the server?
A larger point that security is based on trust. Trust is based on assumptions, especially and exclusively when it's a closed source software. Assumptions that what the company says is true. Now we know that they can be forced to lie and any claims of the security just crumble as a house of cards.
Even if LastPass would've been an open-source, it made a little difference as the company could've been forced to distribute binaries made from altered sources. It wasn't easy to build trust before, but it's going to be nearly impossible to build it now. Though it's not to say there isn't plenty of people who are after pseudo-security and who are easily lulled by cross-my-heart promises squirting out of every second company now.
True, they could have shipped a backdoor since day 1 but it's unclear what their incentive would be to do so and they run the risk of it being found with a reverse engineering attempt.
Is there any basis in law under which the government can force a company to distribute altered binaries? If the government can force you to add a backdoor in your own product, in effect they have the power to demand that you perform free labour for them.
That would seem to form a basis for also demanding that a person work as a spy for them etc.
EGreg said "provably not able to access your information", which means that there's a proof of some kind. What the fuck does "prove it to yourself" in your comment mean? That I'm now responsible for writing the security proof? That you acknowledge that no such proof exists, but I can write it myself?
Oh, you probably didn't mean "prove", you meant "ensure", as in I can ensure that the traffic between Mega and my browser is encrypted. What does this say about security? Absolutely fucking nothing!
It's a known fact that Mega is NOT secure. Even if you store your key locally, and they don't know it today, they can do the fuck they want with their web pages: next time you login, they can send you a piece of JavaScript to decrypt everything, or read your key, or... just do anything! If you're looking for an example, this happened with HushMail (http://en.wikipedia.org/wiki/Hushmail).
Anyway, I didn't really mean to ask for a proof, because I know that there's no security proof that "Mega, LastPass and others" are not able to access my information, I was looking for a way to encourage EGreg to do some research and declare that he was wrong, because his claims are fucking dangerous. I certainly didn't expect replies like yours.