[lug] drive free space "wiper" recommendation

[karl horlen]

thanks for the info

--- On Mon, 10/11/10, Anthony Foiani <tkil at scrye.com> wrote:

> From: Anthony Foiani <tkil at scrye.com>
> Subject: Re: [lug] drive free space "wiper" recommendation
> To: "Boulder (Colorado) Linux Users Group -- General Mailing List" <lug at lug.boulder.co.us>
> Date: Monday, October 11, 2010, 9:56 PM
> Paul E Condon <pecondon at mesanetworks.net>
> writes:
> 
> > Claims made at the web site where the tool is offered
> for download
> > cannot be simply trusted, IMHO. How does one test a
> disk wipe to
> > verify that it has worked correctly?
> 
> Well, at least one of the sites (Dan's Boot-n-Nuke, but I
> might be
> mis-remembering) has links to papers on the topic.
> 
> And I wasn't being blind; I read through a dozen or more
> sites to find
> the two I recommended.
> 
> > It seems to me that in the limited situation where
> there is no
> > reason to preserve any data on the HD, then dd would
> do a pretty
> > fair job, or maybe two passes of dd with ones and
> zeros. What more
> > could a 'better' tool offer? 
> 
> The history of "secure erase", so far as I know it:
> 
> * Various OS's (at least back to MS-DOS in the 1980s)
> discovered it
>   was faster to just zero out a directory entry,
> rather than zeroing
>   out every sector that held data for the given
> file.  This allowed
>   for various "undelete" utilities, but is obviously
> insecure.
> 
> * Various programmers filled the need for a secure delete
> by offering
>   tools that would first write various patterns into
> the used sectors,
>   then do the actual delete.
> 
> * Patterns are used because sufficiently-motivated labs
> (think 100k$
>   attack cost) can find traces of previous written
> values on the
>   media.  That is, if you write "10101010", and
> then later write
>   "11110000" to the same location, a trace of the
> original pattern
>   remains.  That trace can be detected with
> sufficiently advanced
>   gear.
> 
>   + This is the origin of the old "37 passes"
> approach; the idea is
>     that sufficient passes of 1s and 0s would put
> down so many
>     residual traces, the original would no longer
> be recoverable.
> 
> * Recent (2000-ish to current) hard drives don't really
> write
>   individual, identifiable bits anymore.  They
> use various coding
>   systems (much as 56k modems used more than two
> symbols: they were
>   really only 4800 baud ["symbols per second"]
> devices, but used 30+
>   symbols to provide 56 kbps throughput).  This
> means that changing
>   your "10101010" to "11110000" might only affect two
> locations, and
>   might change that location from symbol "C" to symbol
> "Q".  (As well
>   as likely causing the entire sector to be rewritten;
> I don't know
>   that detail.)
> 
> * On top of all that, hard drives have been remapping
> sectors since
>   the 1990s at the latest.  That means sensitive
> data might be left in
>   a "bad" sector, which could potentially be recovered
> if the
>   adversary spends enough effort to do so.
> 
> > (This sounds like a rhetorical question, but I really
> am just
> > asking. Security issues puzzle me because there is
> always the
> > possibility yet another level of deception.)
> 
> I strongly recommend _Practical Security_ (aka _Security
> Engineering)
> by Bruce Schneier and Neils Ferguson:
> 
>   http://www.schneier.com/book-practical.html
> 
> The most important lesson is that you need to first
> determine what
> you're protecting, then what/whom you're protecting
> against, and
> finally you need to decide how much you're willing to "pay"
> for that
> protection.
> 
> Short version: security is a trade-off between cost,
> ease-of-use, and
> many other factors.  (Would you like a shell that
> prompted for your
> password before executing every command?  That'd be
> more secure, but
> very much a P.I.T.A...)
> 
> In this case, you want to determine what level of threat
> you're
> protecting against.  In this particular case, I see:
> 
> 1. Consumer / hobbyist / low-end tech support person.
> 
>    If you're selling a drive on eBay, or
> taking your laptop in for
>    service, this is the level of
> attack.  Most likely will only be
>    attempted through standard interface, so
> remapped sectors are not
>    an issue.
> 
>    Myself, if I had anything I really
> worried about on that hard
>    drive, I'd do my best to replace it with
> a scratch drive before
>    sending in the device.  (This also
> has the advantage of eliminating
>    the hard drive or software as the
> culprit.)
> 
> 2. Local law enforcement, low-end data recovery services.
> 
>    These can likely get to the remapped
> sectors, at the very least.
> 
> 3. National law enforcement, hard drive manufacturers,
> high-end data
>    recovery services.
> 
>    These can scan the platter "manually" and
> reconstruct the primary
>    data, as well as potentially recovering
> traces of previous data.
> 
> If you're really worried about #2 and #3 ... the right
> answer is
> probably to keep the drive in your physical possession; if
> you need to
> discard it, disassemble the drive and melt the platters.
> 
> My own level of paranoia is such that I've got about 50
> drives of
> various vintages sitting in a box... (remember when a 640MB
> 'bigfoot'
> 5.25" drive was awesome?  :)
> 
> HTH,
> t.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
>