[nikcub]

MegaUpload ran a net profit margin of around 40%. Hosting anywhere else probably would have wiped a lot of that out. Their main competitive advantage was download speeds in the USA - if you read online comments there was constant bitching about the speeds of other sites vs Megaupload.

But forget the download servers being hosted in Virginia - what is much much worse is that they hosted their email servers at the same colo. This entire case and almost all of the evidence is built up around the contents of that email server. The feds obtained a secret warrant to get the details and most of the facts in the indictment are based on what they found.

I wrote about this here:

http://nikcub.appspot.com/posts/how-megaupload-was-investiga...

I hope this case makes it to a trial because I would like to find out what probable cause was used to obtain the warrant to handover the email server.

[scott_s]

That's a rational, measured assessment. You bring up an excellent point at the end: if all of their evidence is from the emails, how did they get the warrant to obtain the emails?

I submitted it, but it looks like you already did so last week, and it didn't get much attention. I hope more people can see it from this thread.

[nikcub]

Thanks. I have resubmitted it, assuming that is ok to do.

http://news.ycombinator.com/item?id=3529536

I have also been spending some time reading over the Viacom vs YouTube case. The parallels between it and Megaupload are striking - the difference being that Megaupload is a criminal case while YouTube was a civil case. I found that the YouTube internal emails were much more incriminating than the MegaUpload emails. I plan on writing up the details of the emails and other parallels between the two cases sometime this week.

[jonhendry]

Maybe they had a source inside MegaUpload.

[cookiecaper]

Another excellent argument to use encryption. It seems every couple of weeks there is another high-profile incident where a lot of trouble would have been saved if people had taken the time to set up Enigmail.

I would also love to see some advances in client-side steganography that could be usable as easily as GPG. Probably the closest thing we have now is TrueCrypt hidden volumes but that doesn't really work for email.

[bri3d]

Keeping encrypted data in the US is increasingly futile - see http://arstechnica.com/tech-policy/news/2012/01/judge-fifth-... .

Steganography is a good idea, though.

(edited: corrected stenography -> steganography per too-aggressive spellchecker usage)

[cookiecaper]

It is not a settled question whether you can be forced to decrypt or not; some judges have considered encrypted drives protected and others have not. And the UK has compelled individuals to decrypt as well.

The fact remains that you are much better off encrypting in the first place even if you are eventually forced to decrypt. You can challenge the order to decrypt, you can add more time to the investigation and give your lawyers more time to put together a strategy for whatever angle they consider most prudent, you can prevent surreptitious listening that may arouse interest in your activity in the first place, and so on.

Even if you ultimately are forced to comply with an order to decrypt, which again is by no means guaranteed, you still do yourself a lot of favors by encrypting from the get go. And we haven't even mentioned protection from non-governmental entities like script kiddies, competitors, or tabloids.

[DanBC]

> Stenography is a good idea, though.

Steganography is provably secure but requires a lot of cover data and careful implementation.

Steganography is less useful for most purposes than most people want.

[cookiecaper]

Unfortunately this is the case now. I am hoping that someone invents something that makes steganography more usable. "----BEGIN PGP MESSAGE----" is a little obvious for my taste, though of course encryption is much better than nothing.

[cwp]

I think you mean steganography. "Stenography" is writing down what someone is saying.

[cookiecaper]

Indeed, I should have paid more attention to my spell checker which does not recognize "steganography". Thanks.

[bri3d]

Thank you! Corrected.

[fl3tch]

Encryption is not so foolproof. A judge in Colorado has ordered a women to decrypt her laptop. The authorities will find ways to plug the loopholes that technology creates. If they can't break mathematics, they can break your will.

[Zirro]

Do you have a source on this? Isn't there such a thing as "you have the right to remain silent" in court as well?

[nikcub]

or just don't host in the USA, since apparently now you can be forced to decrypt. I wouldn't trust the UK, EU, Singapore, South Korea, Australia, New Zealand etc. either - which rules out most countries that have decent peering and colocation infrastructure.

Can anybody suggest a country/host that is cheap, fast and outside of the reach or co-operation of a US federal investigation?

[cookiecaper]

I don't think so. If you're really concerned about communication staying irretrievable by hostile players you will have to use some alternate channels and take care to ensure that you don't leave tracks on the devices that would get confiscated. I wouldn't just plop something in Costa Rica and expect it to be OK.

[trotsky]

You'd want to look at where the spammers and malware pushers host or are located, mostly china, russia and a few eastern european countries. Of course you're trading one set of problems for another: depending on the location you'll likely lack most IP protection, be subject to constant surveillance, extortion and organized crime.

[Natsu]

The indictment mentions NinjaVideo as an affiliate of some sort. Given that they were recently taken down for criminal infringement, it is possible that they found something in their emails or whatever which they were able to use against MU. Assuming that's true, one would expect them to go after any affiliates of MU next, using the evidence they've gathered in this case.