I'm curious what they mean by "secure", since they seem to be trumpeting it as a major selling point. They say that all communication goes through HTTPS, which is nice, but they don't say if the information is encrypted on their servers as well. Can someone who gets a VM running on the same machine use clever side-channel trickery to peek at my files? Can a government get Amazon to quietly reveal all my data?
What would be really nice is something where files get stored fully encrypted, with the key derived client-side from your username and password, and the connections all use HTTPS. (Or something similar. I'm not a security expert, so take this with a grain of salt.)
"Fully encrypted, with the key derived client-side from your username and password" is easier said than done. It means that the key is as weak as your password and that you need to download a special client or plug-in on every device you want to read your files from.
That key will almost certainly be cached and persisted on a device. Otherwise, you'd need to enter a password every time you need to decrypt a blob of data. That means you need some way to revoke a key when you lose a device. You'll also need some key recovery mechanism when users inevitably forget their password.
Sharing files effectively becomes a key distribution problem. Another consideration is that you can't just upload diffs of files when they change or easily perform data deduplication.
SpiderOak handles most of the above. So does Tarsnap, aside from the sharing. Neither do key recovery for lost passwords, as that defeats the entire purpose of having the key to begin with.
If you toss out the GUI stuff and the boilerplate encryption algorithms, the amount of important code in TrueCrypt is fairly small. It has, naturally enough, been subjected to attempts to break it:
> If you toss out the GUI stuff and the boilerplate encryption algorithms, the amount of important code in TrueCrypt is fairly small.
First of all, even if you use "boilerplate" encryption algorithms, crypto is ridiculously easy to get wrong, especially in a very demanding setting of disk encryption. Second, TrueCrypt's ability to present its volumes as virtual drives/mountable images is no small feat (both in Linux and NT).
OK, can't speak for their forum banning as I'm not familiar with that situation and correct I cannot find any public repositories - but that's not too rare for some open source projects.
The reasons for being partially anonymous are pretty clear, I doubt various governments are a great fan of TrueCrypt especially with its plausible deniability.
While I agree that we should not blindly place trust in security tools and assume we are safe, this link [1] gives me some optimism about TC's security (if it is to be believed... that's the problem with paranoia).
I made a question on Quora [1] for this in case anyone wants to contribute. I've seen alot of conflicting discussion on Hacker News as to the authenticity of TrueCrypt. Hopefully we can continue the dialogue and organize the response over there, as it may go beyond the scope of the discussion here, where it arguably only has a tenuous connection to amazon cloud storage or other web storage services.
What would be really nice is something where files get stored fully encrypted, with the key derived client-side from your username and password, and the connections all use HTTPS. (Or something similar. I'm not a security expert, so take this with a grain of salt.)