A few months ago, I asked the Identi.ca community what I could use to (more or less) securely synchronize my documents across the three major platforms (Linux, Mac OS X and Windows), for free. I was introduced to Dropbox.
On a recent episode of Security Now!, Steve Gibson mentioned a neat freeware tool for Windows called prio. Among the various extremely useful functions prio offers (it's chiefly designed to make process priority sticky across launches), it will also highlight, in green or red, in the Windows Task Manager, services and processes which contain a valid digital signature.
As I have become increasingly aware of the security implications of running a Windows-based machine, I've become very sensitive to things such as digital signatures in executables. To quote from prio's manual (which explains the topic quite well):
What is a digital signature for?An electronic digital signature is an attribute of an electronic document used to protect it against forgery and verify its authenticity. A lot of malicious software disguises itself as Windows system processes. It is possible to forge the name of an executable file, but it is impossible to forge its digital signature. With Prio, you can always analyze the list of running processes in order to check the digital signature of their files or their network activity.
The bottom line: Dropbox, please sign your binaries! I'm entrusting your service with my documents, photos, and other personal or work data. More importantly, I'm letting the binary reside in memory and read and write arbitrarily to my hard disk. A valid signature on the Dropbox.exe binary would help me know that nothing foul is going on to the extent that Dropbox.exe hasn't been highjacked or otherwise trojanized.
