They don't publish their key derivation scheme, but I'd be shocked (and pleased) to find that they were savvy enough to actually use PBKDF2 or even stretched SHA1. Believe it or not, plenty of commercial vendors literally take the ASCII of the password as the key.
I'd also worry, based on that spec, that the Arq developers believe the SHA1 hashes they store are fully equivalent to a deliberate MAC.
I should have noted that Arq's git-like scheme makes them inherently more careful about storage and data integrity (under non-adversarial conditions) than Jungledisk. My perusal of their site was casual. I really don't know much about them and am not offering a professional opinion.
I emailed you asking for professional help in reviewing the security aspects of Arq. I'm not an expert, and I'd like to get it right. If anybody else has the expertise to do this review, please email me at [email protected].
In general, if you're an indie developer and you're doing custom crypto stuff, I'm happy to do a consult free of charge. You'll probably find other software security firms are similarly willing to do that kind of stuff, just like the good law firms will tend to do up-front consults for free.
Full-on software reviews, particularly by consultants competent enough to review crypto, are very expensive. You can probably get away without doing one, as long as you get good advice and have people to bounce ideas and problems off of.
Karmically, being someone to bounce ideas and problems off of has paid off for Matasano dramatically, so, anyone else reading this thread, consider this an open invitation.
