acb's technical journal

Posts matching tags 'security'

2016/3/3

Dropbox for paranoiacs

Like many people, I have a Dropbox account; it comes in handy for sharing files with collaborators. However, Dropbox has one significant problem: that of trust. It is a closed-source program, running a proprietary protocol; the user has no means of verifying its operation or its security, and thus using it is giving an opaque program access to one's system, and having faith that (a) it only does what it says it does (i.e., synchronising a directory tree of files between machines), (b) it cannot be quietly subverted by its creators to do other things without one's consent, and (c) it has no security holes that a third party could exploit to pwn all your stuff.

Other people have noticed this as well, and there are several existing articles on ways of compartmentalising Dropbox on a Linux system. These articles generally rely on running it in a chroot jail, restricting its filesystem access to an isolated subtree. The problem with this is that chroot is a thin layer of defense against an untrusted application; it only restricts access to the filesystem, and there have been ways to break out of it; if an attacker can get root privilege, they can get out. In short, trusting chroot to secure an untrusted application is a leap of faith.

Fortunately, chroot is not the only possibility these days; with improving CPU performance and the falling cost of RAM, a moderately powerful computer has enough power to run several virtual machines, each one running its own isolated operating system. These can be run using the freely available VirtualBox application, which is able to run its virtual machines in headless mode. In other words, it is possible to devote a small amount of memory, disk space and CPU power to simulating a small dedicated Linux box dedicated to running a Dropbox client. This box can run a NFS server, through which you can access your Dropbox files from your main machine as if they were stored locally. And, should the Dropbox client turn out to be, or be compromised by, malware, it has access to literally nothing more than a freshly-installed Linux box running itself.

The process has multiple stages: one will need to create a virtual machine, install Linux on it, install the Dropbox client (and configure it to connect to one's account), set up networking and NFS to get at one's files, and configure the host system to automatically start the virtual machine at boot time. In my example, I am using the Debian Linux distribution (in particular, Debian Jessie 8.2.0); the instructions will differ for other distributions.

 [...]

dropbox linux security virtualbox 0

This will be the comment popup.
Post a reply
Display name:

Your comment:


Please enter the text in the image above here: