Swiss based Wuala.com is a much better solution.
SpiderOak has been saying they "expect to make the SpiderOak client code open source in the not-distant future"  for years now, and their code still is not fully open-source. I completely understand their situation and know it's not always possible to fully open up the code, but I'm not able to overlook this deal breaker either.
Encrypt locally using only open source tools, then sync with whichever online backup/sync provider you like. It's the storage version of a 'dumb pipe', maybe we call it 'dumb containers'. Everything else is marketing bullshit which will evaporate once that first official demand for your data arrives.
While open-sourcing the desktop client isn't going as fast as we'd like, I'd like to point out that practically all current and future projects are open source on our GitHub (https://github.com/SpiderOak/), including our next-gen encryption system Crypton (which will eventually replace the data structures in the desktop client ANYWAY)
It's still available at the link below if any SpiderOak user (or potential customer) wants to use it to "show the numbers" on a single site (as opposed to scattered comments):
There's an online backup service called Cyphertite (cyphertite.com) that provides the sources for its client programs on all the platforms it supports. So I don't really see why SpiderOak, with its prominent proclamations of "zero knowledge", cannot walk the talk.
Of course, I understand that certain competitive advantages may take longer to provide in the open (until factors other than the client source code and backend architecture become competitive advantages). But I have to admit that SpiderOak has been dragging on opening up the source.
Edit: Let me also admit that I do like SpiderOak and the emphasis it places on privacy and in educating users about privacy. We need more services that strongly support what ought to be basic rights.
Actively in development, stable, ready for enterprise use.
If only there was such a provider that gave you the dumb pipe version of an offsite filesystem ... it's on the tip of my tongue ...
While I trust the Swiss a lot more than I do anything in or from the US, I certainly wouldn't bet my life on it.
The links below are what a quick search yielded. Not much time to dig deeper at the moment.
This is the special risk of dealing with US-based companies. They can be forced to install decryption backdoors or hand over their users' data while continuing to tell the users they are unable to do so. So you must assume no US-based service is truly secure.
Might take a serious look at it now...
For what it's worth, SpiderOak Blue is often purchased by enterprise customers as a "private cloud", where an organization can run the server side components locally.
By the way, if I recall correctly, Wuala is owned by LaCie which is owned by Seagate, which is US based. IMO, open products are the solution. We're making it a priority.
Without the source, their security is meaningless. You've just given a closed source application access to the network, and to your files. You've already lost the game.
Edit: Thinking about it, this is the real problem with encryption: the good is the enemy of the perfect. A 90% solution is worse than a half assed one, because you know not to trust the bad solution.
That is a lot of regular ping message, directory listing, software update that can be overlooked in that period.
As another commenter pointed out that you voluntarily give the password if you use the web UI. Probably the same if you use a mobile client. So there is build-in room for honest mistake in their service definition.
So basically, you still need to trust a third party, and looking at the recent news, they are really out there to get you.
Another thing that nobody is talking about and at the heart of internet. What about all those SSL certificates ?
That being said, it's all about trust, since both are closed source and there's only trust that's left to the users.
I wish there existed an ubiquitous open source alternative.
If you are using Linux, FreeBSD or Mac OSX you can use local open source encryption before your data touches the sync program (or even the online backup servers) with EncFS. I'm using it with Dropbox and it is solid, easy to use and set up, and does efficient file-based encryption (so no re-uploading folders just because you changed a file inside).
Gnome desktops even have the Gnome EncFS Manager if you want a GUI way to set it up.
Granted Boxcryptor isn't open source, but otherwise you get yourself a full encfs-compatible Dropbox stack.
The big advantage of Tarsnap is that it supports efficient encrypted deduplicated snapshots; it only stores block that have not been stored before, so you can have many versioned backups using much less space than they would otherwise.
Switzerland is not some magic amulet that solves these problems once and for all.
 You know who that is.
Just remember to not use the Web UI: if you do so, your plaintext password is sent to the servers, because decryption happens on the servers. This is mentioned in their FAQ. Unless things have changed since the last time I checked.
I'd also worry about a catastrophic event of Lastpass losing those passwords somehow, and then remaining locked out of many websites.
And what about Bittorent Sync with an old PC as an alternative? They even have an iOS app now.
I definitely recommend keepass over lastpass.
A bit OT, but I'm guessing you're using keepassx for non-Windows OS? Is there a benefit to it compared to simply using keepass with Mono?
So I'm pretty sure that you'd have to lose basically every device it's on and have LastPass's cloud deleted to lose them all.
Only issue is protecting that journal.. Hopefully I can eat the pages if things were to arise. Ha
Or losing it.
1) It won't sync the truecrypt volume while it's open (cause the file is in use), so if you want to encrypt stuff you work on regularly, you have to close the truecrypt volume regularly to sync it, which is a PITA.
2) Since it's one big volume, it takes forever to sync up even if you only modified a single file inside it. Say, for example, I have a 5 GB truecrypt volume containing some project I'm working on. If I open it, update the readme, then close it, it has to resync 5 GB...
So overall, this is far from an optimal solution...
#1 is indeed a PITA. I don't know of a better alternative I trust though. In practice the files I'm changing daily are small and aren't top secret, so I zip them and put the zip file in the DropBox. Then I don't have to unmount the truecrypt volume so often.
We tried SpiderOak but the security was hard for our users. We ended up using Syncdocs which encrypts Google Drive. It lets our team share and use Google Docs normally, but secure folders we need to keep encrypted. They also disclose their AES encryption source.
I just need to setup a synchronization/encryption schedule. I'm thinking rsync remotely to the server. Not sure on encryption yet.
I'm also using the servers as development and minor hosting for myself. It's practically a free storage solution?
Am I crazy?
I also have a bigger drive at home mounted on a raspberry, which stores both the important files (as a second backup) and a lot of unimportant crap.
I'm hoping to look at rsync in order to do partial changes, so I could synchronize VM disks and other large files.
I don't like keeping my PC turned on to perform a sync, so I would love to setup a Raspberry pi to do the work for me, but it only has USB 2.0...
I would just write the code here, but I'd rather you visit the wonderful site ;)
Edit: Do a search for RamNode.
I wish they'd release simple sourcecode for a headless sync client or that someone would reverse engineer it enough for that to happen. As it is, you can sshfs mount a folder synced by one of your x86 computers, but that's definitely not ideal.
Other than that complain I've enjoyed using SpiderOak and it's a great piece of software.
The one main problem is that it's not an open source client, which seems like the ideal solution.
Edit: Why downvotes?
As a Dropbox user, I find that the files get synced very quickly and I wonder if these alternatives (Spideroak/Wuala) being suggested will match that speed. That will be a factor as well to consider.
Oh, you're saying it wouldn't be possible with client-side encryption? I say it should be, using a mix of symmetric and asymmetric encryption:
- have all data of a repository encrypted using a symmetric key, at first known only by the repository owner.
- the symmetric key gets sent on the cloud host's server, encrypted using the owner's public key.
- every new device or share with a new user will require a previous user (in this case the owner) to decrypt the symmetric key using his private key and encrypt it using a new public key that the new user / device has sent together with its access request.
- the cloud host simply grows a table of encrypted symmetric keys, with one entry per device/user, besides the actual encrypted data. note that the cloud host still can never decrypt the data, as long as the private keys never get sent around.
"NOTE: Curious about how we retain ‘zero-knowledge’ privacy while password creation
happens on the web? Click here for more details."
But no link. So... is this a joke? why can't they explain this in their FAQ instead of having to get a PDF then a (non-existent) link to it? I've been searching the FAQs and under Privacy and Passwords and all I can find is:
"More information about this is on our website in the engineering section of our website, which talks about our zero knowledge approach, the password policy, and encryption specifications."
Engineering section? I can't see where it is.
My point is, if "security and privacy" are one of the main selling points of the product... yet you have to jumpo through hoops and loops to get some details on the implementation and STILL don't have the info... smells fishy..
This is the Engineering Page with Encryption Specifications: https://spideroak.com/engineering_matters
I've written about the problem of cloud security and cloud privacy here: http://vuongnguyen.com/personal-business-cloud-security.html.
We're just a startup who was trying to solve our own problem with the cloud security & privacy. Would love to hear from you.
I will take a look at ncryptedcloud.com though in case it's useful for people I advise. :-)
The cache should be able to deal with it now, but I appreciate the mirror. :-)
The definition of illegal varies over time and you have no control over it at all.
+1 to changing definitions of 'illegal' (along with 'madness', etc.)
Since the product is zero knowledge, we can't just look at the server to see what a problem might be. Trobleshooting involves analyzing logs from the end point devices, find out all the relationships involved in the sync (one machine is Mac using case preserving insensitive unicode form D, the next is Windows with relevant regional settings, another is a Linux NFS server, a FAT32 volume that doesn't preserve certain characteristics and has a limitations for MAXPATH, etc.)
It often take a couple of hours of analysis to understand what a specific situation's problem might be, and the median case is that it comes down application level things that SpiderOak can't do much about other than explain to people why syncing (for example) Quickbooks files between two open and running instances of Quickbooks at the same time is not going have the effect they desire. Or any number of combinations like that. People put very weird stuff in filesystems.
In any case, sorry it didn't work for you. We did recently finally resolve a couple of long standing edge cases in the Unicode sync logic in the 5.0.3 release. Let me know if you'd like to give it another try. In any case, thanks for your interest in SpiderOak.
At least your data will be behind a strong firewall
It seems to me that for many people, using an open-source tool does more to provide peace-of-mind than actual security assurances.
"Your data is encrypted by you before upload to our system and therefore we do not and cannot access that content unless we are provided with the decryption key. You may give access to others by providing them with a link and decryption key and you shall be responsible for their compliance with this Policy."
But they also say that they'll comply with legal requests. These article explain it better than me:
I want to backup and sync at the same time to an offsite server.
While I could roll my own solution, I want something that I can recommend to family/friends/my network (and that's congruent with their technical skills). :-)
In other words: why not pay?
https://copy.com?r=C3kqI8 (This is a referral link providing 5GB extra to both.)
Edit: Actually, I guess that's for their basic paying account.
This means they control your access to the syncing your own files.
BitTorrent Sync lets me do the same thing, but under my own control. Only thing missing there is being able to choose your own tracker.
Think of your files as termites. BeePine Mound is like a secure mound in the cloud for all your stuff.