While there are definitely many security-related holes and privacy concerns to be had about the free (but not open-source) Dropbox file sharing service, it has taken the world by storm, including many activist and human rights groups, mostly due to the simplicity and effectiveness of its user experience. As we have seen many times before, software and services that “just work”, will always win out over more secure options with the majority of the population. This post is a quick attempt to share some simple steps you can take to ensure your use of Dropbox, or any similar cloud-based file storage and sharing system, is more properly protected, obscured or otherwise mitigated as a direct threat to the security of your information.
1. Use Dropbox over Tor to stop local network monitors from knowing you are using Dropbox to begin with. This also is a good configuration to use with people who live in places where Dropbox might be blocked, but Tor is not.
Install Tor and use Vidalia (the GUI controller) to connect to the Tor network.
Set Dropbox->Preferences->Network->Proxy Settings to use Tor’s secure SOCKS proxy on localhost, port 9050
2. Set Bandwidth Usage to a low value to avoid creating large spikes in network traffic. This will reduce the likelihood your particular use will be singled out if you are syncing large media files or other transfers.
Set Dropbox->Preferences->Network->Bandwidth Usage to a low value such as 50KB/s for upload and download
3. Use Truecrypt to create encrypted disk volume files inside of Dropbox, and then store your files inside of that. This can still be shared by multiple users, if you use a password based volume.
Download, install and configure the free, open-source TrueCrypt software: http://www.truecrypt.org/
Create a new TrueCrypt volume, stored within a Dropbox folder
All in all, there are more secure ways to share sensitive information, such as using GPG file encryption or another OpenPGP solution, but if you absolutely must use Dropbox, and you are under any sort of threat at all to having the information you store on it used against you, then please follow this advice I have shared.
If you have additional tips, warnings or configurations along these lines, please add them to the comments below.