Truecrypt doesn't protect from hackers at all though, only from people who already have physical access to your computer. Plus it only protects from them if they are retarded and don't know how to covertly obtain passphrases, or just cold boot memory into a forensics laptop. VMs can be useful for security, but it is a matter of having the right type of VM and also knowing the benefits and limitations. Isolating network facing applications into VM away from Tor and your real IP address can be a very big security boost in some ways, for one it can eliminate all possible IP leaks / DNS leaks etc. For two it can make it so even if you are rooted the attacker can not obtain your real IP address unless they break out of the VM and get to the host. It has disadvantages too though, primarily it increases complexity, which means that it is easier for the attacker to root your VM than it would be for them to root the same OS running on bare metal. The type of VM used has a lot to say about how hard it is for the attacker to break out of the VM and how much easier it is for them to root the VM versus the same os being run on bare metal. Paravirtualization seems to be the best of both worlds. Check out Qubes OS it is pretty cool security oriented distro that is based on Xen, it lets you create security domains and automatically puts every application you launch into a VM that is isolated into a security domain you set. Windows is still widely considered to be the least secure choice of OS, and using Truecrypt for FDE doesn't protect from anything but a small range of potential attacks. You should still use FDE on your real disk though, and of course not rely on FDE of a virtual drive. If you are not using some sort of GUI isolation, be it from VMs or from mandatory access control profiles, any compromise of a windowed application is pretty much game over. You could have a Tetris application that has lowest possible user privileges pwnt, sucks because your desktop environment almost certainly is broadcasting keystrokes to all windowed applications, so they can spy on your keystrokes and EOP to root after you SU. Pretty much what it boils down to is that you can use the best encryption algorithms every place you possibly can, and the best anonymity networks in the world, and it isn't going to do shit to protect you if you are hacked. Using encryption and anonymizers is important, but hardening your OS and using advanced configuration techniques and technologies to protect from hackers is just as important, and Windows is about as specialized for high security against hackers as *BSD is for gaming. If you don't think you need to worry about being hacked just look up CIPAV. When FBI runs into a wall trying to identify a target who is using strong encryption and anonymizers, they turn to their arsenal of zero days and potentially-unpatched-exploits and try to find a combination that lets them by pass the security functionality that they can't directly break. DEA was working on developing a similar set of pre-packaged hacking tools for tracing and wiretapping targets using crypto/anonymizers as well, I heard about that for the first time about two years ago.