Inside the Mansion—and Mind— of Kim Dotcom, the Most Wanted Man on the Net

Photo: Wilk

Please Choose One of the Following Statements:

  • A. Kim Dotcom is not a pirate. He’s a hero. The savior of my online liberties. A visionary digital entrepreneur. His company Megaupload was a legitimate data-storage business used by hundreds of millions of individuals and by employees of NASA, US Central Command, even the FBI. The raid on his New Zealand home was excessive and illegal—shock-and-awe bullshit. Hollywood is terrified by the digital future, and an innocent paid the price. Kim is a martyr. But Kim will triumph.

    You’d like him, he’s cool.

  • B. Kim Dotcom is a pirate. A megalomaniacal gangsta clown. An opportunistic and calculating career criminal. His Megaupload enterprise willfully made hundreds of millions of dollars off stolen movies, songs, videogames, books, and software. And, oh yeah, he couldn’t be more obnoxious about it.

    He wanted Wired to write a nice story about him, so he manipulated its writer by providing exclusive access, and even a few tears, in hopes of a puff piece. But Kim is a criminal. He knows he’s a criminal. Like any pirate, the only freedoms he really cares about are the ones he can exploit to make himself rich. The rest is all PR.

    If you think he’s cool, you don’t know him.

  • C. Kim Dotcom is rich enough to work however and wherever he wants. And what he wants is to work from bed.

His bed of choice is a remarkable piece of custom Swedish craftsmanship made by a company called Hästens. Each one takes some 160 hours to produce and is signed by a master bed-maker who lays out the most perfect matrix of horsehair, cotton, flax, and wool. Price after custom framing: $103,000. Kim has three such beds in his New Zealand mansion, one of which faces a series of monitors and hard drives and piles of wires and is flanked on either side by lamps that look like, and may well be, chromed AK-47s. This is Kim’s “work bed” and serves as his office. It was here that he returned in the early morning of January 20, 2012, after a long night spent on his music album, one of his many side projects.

Kim had spent the previous seven hours down the road at Roundhead Studios, laying down beats with songwriter Mario “Tex” James and Black Eyed Peas producer Printz Board in a studio owned by Crowded House frontman Neil Finn. They finished around 4:30 am, and Kim slid into the backseat of his Mercedes S-Class for the ride back to his mansion. Soon after leaving the parking lot, Kim noticed headlights behind them. He said to his driver, “I think we’re being followed.”

They pulled into Kim’s rented palace around dawn. His wife and children were long asleep in another wing. Kim walked to his upstairs chambers, showered and changed into his customary all-black sleeping costume, grabbed his customary chilled Fiji water from the upstairs fridge, and settled before the monitors of his work bed. Then he heard the noise.

A low, wavering bass, it seemed to be coming from outside. Kim couldn’t tell—the cavernous stone labyrinth of rooms swallowed and scattered sound, and the thick velvet blackout curtains blocked out everything else. Kim guessed it was his helicopter. He didn’t bother with details, he had a staff for that, but he did know that VIPs from the entertainment world were expected in from LA in celebration of his 38th birthday. Maybe they’d arrived early and Roy, his pilot, had been dispatched to meet them. A moment later the helicopter theory was confirmed by the sound of rocks from the limestone drive raining against the windows. Fucking Roy! He’d been told not to land too near—the thought was interrupted by a boom, echoing and close.

This noise was coming from the other side of his office door. It was heavy hardwood several inches thick, secured by stout metal bolts in the stone casement. Kim struggled to his feet as the door shook and heaved on its hinges. Someone or something was trying to break through. Now Kim heard other noises, shouts and bangs and the unmistakable stomping of boots on stairs. Intruders were in the house. Kim Dotcom realized he was under attack.

Across an ocean, hours before Operation Takedown began, the US Department of Justice had already tipped off a select group of journalists about the raid’s planned highlights. If you know nothing else about Kim Dotcom, about the federal case against him and his former online business, Megaupload, you’ve probably heard about the raid. The story played out like a Hollywood blockbuster. And it was a great story.

The scene: New Zealand. Lush and Green and Freaking Far Away. It’s the Canada of Australia, Wales in a Hawaiian shirt, a Xanadu habitat for Hobbit and emu.

And harbor home to the villain: Kim Dotcom, né Kim Schmitz, aka Tim Vestor, Kim Tim Jim Vestor, Kimble, and Dr. Evil. A classic comic book baddie millionaire, an ex-con expatriate German ex-hacker lording over his own personal Pirate Bay just 30 minutes north of Auckland. Kim Dotcom was presented as a big, bad man, larger-than-life, larger than his 6′ 7″, perhaps 350-pound frame. We saw him posed with guns and yachts and fancy cars. We watched him drive his nitrox-fueled Mega Mercedes in road rallies and on golf courses, throwing fake gang signs at rap moguls and porn stars, making it rain with $175 million in illicit dotcom booty.

His alleged 50-petabyte pirate ship was Megaupload.com, a massive vessel carrying, at its peak, 50 million passengers a day, a full 4 percent of global Internet traffic. Megaupload was a free online storage locker, a cloud warehouse for files too bulky for email. It generated an estimated $25 million a year in revenue from ads and brought in another $150 million through its paid, faster, unlimited Premium service.

Kim, they say, was like Jabba the Hutt, running a bazaar of copyright criminality with impunity from his Kiwi Tatooine.

The DOJ maintains that the legitimate storage business was only a front, like a Mafia pork store; the real money was made out back, where Megaupload was a mega-swapmeet for some $500 million worth of pirated material, including movies, TV shows, music, books, videogames, and software. Kim, they contend, was the Jabba the Hutt-like presence running this grand bazaar of copyright criminality with impunity from his Kiwi Tatooine, protected by laser break beams and guards and guns, CCTV and infrared and even escape pods—including a helicopter and high-performance sports cars. The FBI also believed Kim possessed a special portable device that would wipe his servers all across the globe, destroying the evidence. They called this his doomsday button.

Operation Takedown was carried out by armed New Zealand special police and monitored by the FBI via video link. Descriptions of the raid varied from one news outlet to another, but most included the cops’ dramatic helicopter arrival on the expansive Dotcom Mansion lawn and their struggles with a security system fit for a Mafia don.

We read that police were forced to cut their way into Dotcom’s panic room, where they found him cowering near a sawed-off shotgun. That same day, similar raids were under way in eight other countries where Megaupload had servers or offices.

This was justice on an epically entertaining scale, topped by a final cherry of schadenfreude: the rich fat bad man humbled and humiliated, the boastful pirate king brought down. He was cuffed and put in jail, his booty seized, his business scuttled upon the reefs of anti-racketeering laws. If all went as planned, he and his six generals would be extradited to the US to face a Virginia judge and up to 55 years each in prison. The message was, if it could happen to him, it could happen to anyone. Look upon these works, ye BitTorrenters of Dark Knight trilogies, sneak thieves of 50 Cent, and despair in your pirate bays. Justice was served, the end, roll credits. Yes, it was a great story.

The only problem was, it wasn’t quite true.

Megaupload Is Dead. Long Live Mega!

Photo: Wilk

They’ve been indicted by the U.S. government for conspiracy and briefly thrown in jail, but Kim Dotcom and his partners in the digital storage locker Megaupload have no intention of quitting the online marketplace.

Instead the co-defendants plan to introduce a much-anticipated new technology later this year that will allow users to once again upload, store, and share large data files, albeit by different rules. They revealed details of the new service exclusively to Wired.

They call it Mega and describe it as a unique tool that will solve the liability problems faced by cloud storage services, enhance the privacy rights of internet users, and provide themselves with a simple new business. Meanwhile, critics fear that Mega is simply a revamped version of Megaupload, cleverly designed to skirt the old business’s legal issues without addressing the concerns of Internet piracy.

(Dotcom and three of his partners remain in New Zealand, where they were arrested in January 2012. They face extradition to the U.S. on charges of “engaging in a racketeering conspiracy, conspiring to commit copyright infringement, conspiring to commit money laundering, and two substantive counts of criminal copyright infringement,” according to the Department of Justice.)

What Mega and Megaupload do have in common is that they are both one-click, subscriber-based cloud platforms that allow customers to upload, store, access, and share large files. Dotcom, and his Mega partner Mathias Ortmann say the difference is that now those files will first be one-click-encrypted right in a client’s browser, using the so-called Advanced Encryption Standard algorithm. The user is then provided with a second unique key for that file’s decryption.

It will be up to users, and third-party app developers, to control access to any given uploaded file, be it a song, movie, videogame, book, or simple text document. Internet libertarians will surely embrace this new capability.

And because the decryption key is not stored with Mega, the company would have no means to view the uploaded file on its server. It would, Ortmann explains, be impossible for Mega to know, or be responsible for, its users’ uploaded content — a state of affairs engineered to create an ironclad “safe harbor” from liability for Mega, and added peace of mind for the user.

“If servers are lost, if the government comes into a data center and rapes it, if someone hacks the server or steals it, it would give him nothing,” Dotcom explains. “Whatever is uploaded to the site, it is going to be remain closed and private without the key.”

Dotcom’s belief is that even the broad interpretation of internet law that brought down Megaupload would be insufficient to thwart the new Mega, because what users share, how they share it, and how many people they share it with will be their responsibility and under their control, not Mega’s.

Dotcom says that according to his legal experts, the only way to stop such a service from existing is to make encryption itself illegal. “And according to the U.N. Charter for Human Rights, privacy is a basic human right,” Dotcom explains. “You have the right to protect your private information and communication against spying.”

Dotcom says that the new Mega will be an attractive product for anyone concerned about the state of online security. And to address the concerns about data loss of the sort that affected Megaupload customers whose files were seized by the FBI, Mega will store all data on two sets of redundant servers, located in two different countries.

“So, even if one country decides to go completely berserk from a legal perspective and freeze all servers, for example — which we don’t expect, because we’ve fully complied with all the laws of the countries we place servers in — or if a natural disaster happens, there’s still another location where all the files are available,” Ortmann says. “This way, it’s impossible to be subjected to the kind of abuse that we’ve had in the U.S.”

Ultimately, Dotcom envisions a network hosted by thousands of different entities with thousands of different servers, in countries all over the world.

“We’re creating a system where any host in the world — from the $2,000 garage operation to the largest online host — can connect their own servers to this network,” Dotcom says. “We can work with anybody, because the hosts themselves cannot see what’s on the servers.”

One of the more unique wrinkles of the new service may come from Mega’s decision not to deploy so-called de-duplication on its servers, meaning that if a user decides to upload the same copyright-infringing file 100 times, it would result in 100 different files and 100 distinct decryption keys. Removing them would require 100 takedown notices of the type typically sent by rights holders like movie studios and record companies.

While Mega is adamant that this is not the point of their technology, others fear the service may atomize the piracy problem, turning internet policing into an even more elaborate game of Wack-a-Mole. “As we learned from the first iteration of Megaupload, how it describes itself and how it really operates can be two very distinct things,” says one industry spokesman who asked not to be named. “We’d rather not wade in here until we can see the thing with our own eyes.”

Julie Samuels, a staff attorney with the Electronic Frontier Foundation, says that while the new Mega may present an interesting development for internet users, it doesn’t answer the issues raised by the unique and, by her lights, questionable interpretation of Internet law used in the case against Megaupload. “It’s likely to change the cat-and-mouse game that goes on in terms of this issue on the Internet,” Samuels says. “But it’s still a cat-and-mouse game.”

Samuels says that the technology may affect how easy or difficult it is for rights holders or law enforcement to determine exactly what kind of files are being shared. “But there are still some fundamental questions that need to be answered. At this point, it’s not technology but the courts which need to address them.”

Dotcom insists that Mega is not “a giant middle finger to Hollywood and the DoJ,” or a relaunch of Megaupload. And Ortmann points out that if users choose to violate copyright with the new technology, there are already rules in place to address it. “If the copyright holder finds publicly posted links and decryption keys and verifies that the file is an infringement of their copyright, they can send a DMCA takedown notice to have that file removed, just like before,” he says.

As with Megaupload, Ortmann says, Mega will also grant direct access to their servers for entities such as film studios, allowing them to remove copyright-infringing material themselves. “But this time, if they want to use that tool, they’ll have to accept, prior to getting access, that they’re not going to sue us or hold us accountable for the actions of our users,” Dotcom says.

In any event, the Mega team believes that a government takedown of their new service is extremely improbable. “Unless our legal team tells us that the DoJ is likely to go berserk again,” Ortmann explains. “But in my view, they can’t pull off this stunt a second time.”

Hacker Fight: Everything You’ve Been Told About Passwords Is Wrong

Photo: Simon Lieschke / Flickr

Security is not just about strong encryption, good anti-virus software, or techniques like two-factor authentication. It’s also about the “fuzzy” things … involving people. That’s where the security game is often won or lost. Just ask Mat Honan.

We – the users – are supposed to be responsible, and are told what to do to stay secure. For example: “Don’t use the same password on different sites.” “Use strong passwords.” “Give good answers to security questions.” But here’s the troublesome equation:

more services used = more passwords needed = more user pain

… which means it only gets harder and harder to follow such advice. Why? Because security and practicality are in conflict.

But they don’t have to be. As someone who has studied millions of passwords and how they were constructed – I’ve spent most of my waking hours for over a decade obsessing about authentication methods – I say we can have both security and practicality.

And it starts with recognizing that a lot of security advice hurts more than it helps.