Slashdot Mirror
Is Your Banking Information Accidentally On Ebay?
GraWil writes "The Toronto Star is reporting how two Bank of Montreal computers containing thousands, of sensitive customer files were sold to a student who fixes up machines and then resells them on eBay. It seems that the company responsible for scrubbing the disks (Rider Computer Services Ltd.) misfiled the machines in their warehouse and it was assumed they had been erased." It's not the first time this sort of thing has happened.
My take on the whole issue is that somebody caught it and went public with the information soon enough to prevent damage.
Lets hear it for the unsung heroes in life.
They should just get rid of it and save us all alot of headaches while recouping some money from the second hand machine.
My bank is my matress and if it starts talking, then I have other issues to deal with.
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
Personally, i think that any hard-drive that has been used for that purpose should be securely destroyed instead of being sold. Simon.
Personally I have always been a big fan of physically shredding hard drives which have contained sensitive data. Although the risks associated with re-assembling and recovering wiped data from, say, a RAID 0+1 array is pretty minute, the cost in terms of loss of corporate image outweighs the few hundred bucks made by trading in used disks.
Nothing is accidental. It is a conspiracy!
Don't you just love it? If protection of customer information indeed is your number one priority then why the fsck don't you have procedures is place, which make such a blunder outright impossible? And if you do have such procedures in place why don't you enforce them?
Are those PR liars (and what else could such a "chief privacy officer" making such an outragous statement actually be?) all cranked out by the Forked Tongue Institute for Marketing & PR, or what?
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
There is: WIPE.
There is:
/dev/urandom > /dev/hda
cat
but it's only up to a 'release candidate'. Quite frankly, I'd be sure to use only a tested release for a critical task like this. You could try to wipe a Word document and who knows? it might wipe the entire boot sector to oblivion.
- W G
Seems like this event makes the case for encrypted HDs -- schemes that render data unretrievable without the proper passwords/biometric signatures/magic hardware dongles. The idea that all our personal records are stored in clear text on thousands of HDs and backup tapes at a myriad of institutions is not too pleasant.
As a purchaser/fixer/collector of old computers, I have seen many a file that some prior owner would probably have prefered I not. Although I, personally, have seen nothing of a criminal nature (or of a nature that would allow me to perpetrate a crime) I know others who have found strange files on old computers. Psychotic diary entries that advocated violence, financial records, proprietary engineering data, etc. all have an odd way of being left on HDs of obsolete machines. If a old machine stops working, few people make the effort to fix it in order to erase data. Systems that automatically make the data inaccessible in all but valid/authorized machine states would ensure the protection of the data.
Although any encryption system can be broken, by social engineering at the very least, it would be better if there were at least some barriers between sensitive data and potentially prying eyes.
Two wrongs don't make a right, but three lefts do.
A nice old lady I know who was in Britain's MI5 realised after throwing away her computer that it was not wise to leave a hard drive full of sensitive information. She and her son then drove back to the rubbish dump and pelted the hard drive with bricks until it gave in.
yeah -
a damn
shame.
While its fine to scrub hard disk clean of their data when they are working fine, what do you do when the hard disk has bad sectors?
That happened to me 2 years back. A Maxtor HDD went bad. Sent it back to Maxtor, got another one. The replacement turned out to be bad too.
Had to send that one back and got the 3rd HDD.
There was a lot of data on the 1st HDD I sent back to Maxtor.
I checked the Maxtor website for any statements as to what they do with their data but couldn't find anything.
Many people(unless they have 2 computers and know how to deal with IDE pins) will just send the disk to their manufacturers, whether it contains data or not. Scrubbing a disk clean with bad sectors requires you to isolate the bad sectors by partitioning.
First off unless the entire IT department of the bank are complete morons, most financial data is NOT kept on loacl machines but the file server and the main database machines.
I know that the caches and things MAY hold some sensitive data but it's highly unlikely.
Unless the person that used that PC in the bank was also a incompetent boob and say saved a spreadsheet of 200 credit card numbers and information in the local drive (why the hell are you making an insecure document like that?) it's only a mild security breach.
It shakes the confidence of the customers more than anything else.
Do not look at laser with remaining good eye.
So this kid buys and repairs machines, but didn't even turn the machine on until long after he'd put it up for sale?
Wow I wish I was as efficient as him...
Yeah, punish the innocent bank customers because the bank screwed up. What a genius idea.
Thats outrageous, now they have my passwords as well.
What you guys don't use your social security and bank account numbers as passwords?
Most companies who's machines hold sensitive data do retain/destroy the hard drives. You can find plenty of machines on ebay, sold stating 'without hard drive' or 'just requires hard drive'.
If it was law, rather than just good practice, maybe we'd feel a lot safer.
If you look at the article no one appears willing to take the blame for it, from the bank itself to its two subcontractors tasked with verifying that data is indeed gone from hard drives.
I find it appalling that the 'computer security team' sent to this guy's house were told to 'seize' the drives when clearly he was doing them a favour. Though they thanked him later and gave him replacement (presumably blank) drives, fuckups like these should have proper ramifications. Along the lines of dismissals.
Figures it was the Bank of Montreal. Those idiots can't do anything right, from paying their then-CEO too much to stupid online banking to hypocritical ad campaigns in 1996. Losers!
In Googling I came across this, which lists voluntary sector computing activities in Canada supported by the banks. Just think what interesting fundraising activities could have been made possible by this kind of donation...
========================================
Death will come, and will have your eyes
-- Pavese
Of course not - i put it there
Slashdot - The one stop shop for procrastination
Often people who steal computers are much more interested in the data than the hardware. Probably because it is a lot more complicated to track data theft than following the physical trail of stolen hardware.
I once picked up a PC from a council tip (dump) and that contained full patient record, drug charts, names, addresses, even patient photographs. It was from a local mental institution apparently. In order to prevent this material becoming public they had taken the well thought out step of unplugging the IDE cable. Marvellous. That got formatted and ended up on Ebay. Seems the person responsible was doubley stupid as it seem he was throwing away a high end P2 (this was a fair few years back folks) because the HDD was full. Hey ho!
You don't have to pay for Norton Wipeinfo if you're on Windows.
I'm told that both Scrub and Eraser are pretty good - although I haven't used them.
Both of which are free (in the "don't have to pay any money" sense)
Avantslash - View Slashdot cleanly on your mobile phone.
I'm sorry, but any hard disk that is used to store any sort of information about other people should probably be DESTROYED, not re-sold so you can make a few bucks off of the deal.
Pls No Negative Modding!
The should have installed Windows... that would render it useless
check your AUPs. you do have AUPs, yes?
There are valid reasons for checking out the contents of the HD -- if you think a machine might have been stolen, then finding the prior owner is the right course of action. I know of one dumspter diver who tried to reunite an old PC and its data with its former owner. The former owner was pleased by the honesty of the finder and upset that the HDs had not been wiped as promised by a PC recycling company.
The hardest case that I heard was a used computer buyer that ran across some very disturbed writings on a old machine. Violent written fantasies could have been just someone letting off steam, writing fiction, or a prelude to going postal. Finding potential evidence of a forthcoming crime places a severe ethical burden on the finder of the computer files.
Personally, I don't make a point of snooping and tend to just reformat the HDs of old computers that I buy. This also forestalls the licensing issues with old software on old computers -- that old copy of M$ Office may (or may not) be legal.
Two wrongs don't make a right, but three lefts do.
The problem is not he laws. There are plenty of laws and the Canadian goverment even has a provacy officer. The problem is that everyone "assumed" that the drives had been wiped. I personally feel that this is one of those things that should not be outsourced. At the very least the banks should have hired a student or an intern to physically remove the drives so they cuold be destroyed.
did she work in the department of senile old incompetents?
When it comes to computers, the level of technical incompetence in some of the agencys/companies that are supposed to safeguard or process sensitive public information (banks, police, government..) is sometimes really scary..
"You lied to me! There is a Swansea!"
Physical destruction of used disk drives is not necessary and could in fact engender a false sense of security. Think about it ..... a "secure disposal company" could bake a drive at curie temperature for 24 hours in an alternating magnetic field of varying frequency, strap a hand-grenade to it and drop it down a disused mineshaft, but how can you be sure it's the same drive, or that they haven't made a backup of its contents? If you wanted to get hold of stuff people wanted rid of, what would be a better front for getting it?
..... there are a lot of things they thought were impossible ..... what if someone finds a way ..... Hell, sooner or later someone is going to come up with a scheme for disposing of the air from meeting rooms where secret conversations have been held. The simple scientific fact is that it takes only one overwrite cycle to make data unreadable. You can prove this to yourself using a disk sector editor, but it should be obvious anyway. If the drive could tell a "1 that used to be a 0" from a "1 that has always been a 1", or a "0 that has always been a 0" from a "0 that used to be a 1" with any degree of reliability, someone would already have used that as a capacity-doubling mechanism! It's possible that there might be some difference detectable with a sensitive analogue circuit, since there is a hysteresis loop and there really are the four states I described above. Two overwrites of opposite polarity will force the magnetic media into a known state. Even so, just one overwrite will give someone a massive headache trying to recover the data, because the "used-to-be" data has an inherently high error rate. It's already hard to tell "X that used to be !X" from "X that always has been X" and if the overwriting data is random enough, then it's hard to work out what was ever meant to be what.
Overwriting the drive using software is more verifiable. You de-network the machine, boot it up from a CD, and can analyse the drive contents before starting a wipe cycle. You switch off and back on to prove there is no cheating. Then you can analyse the drive contents again and be sure they are different. The drive never left the machine, but you can be sure the data left the drive.
Whatever anyone may say, remember these "secure disposal companies" are after your money and don't mind playing on your most groundless fears to get hold of it
dd if=/dev/audio of=/dev/hda might conceivably do a good job on a used drive, if you make sure the gain is turned up nice and high and there is nothing plugged into the sound card. Filtered static and power hum are the nearest you're going to get to true randomness.
My drives are invariably thrashed for as long as they work, then get the magnets removed for use in experiments {and wiped a few times across the platters for good measure}.
Je fume. Tu fumes. Nous fûmes!
A couple years ago, after one of my company's bigger layoffs, the company had a free raffle for old workstations. I won one of the machines. It happened to be the old billing server. The IT folks were supposed to have wiped it clean, but they didn't.
I wiped it clean myself and destroyed the info, but not everyone would have done that.
Aren't you worried using a beta release candidate might destroy your data?
The absolute main security issue was customer data. Not that they would have fancied embezzlement or theft but this was looked upon far less serious then compromising customer data, period.
In the data centers (which you had to physically access in order to query real customer data, safe for the front office and also there it was very restricted what you could look at) you had to go through multiple layers of security and where not permitted to even remove a printout.
Computers where dismanteled and disks shredded, they where never for resale. This was applicable for every last computer from every last branch and office
Now, I agree shit happens. Probably in their case it started with outsourcing such a critical tasks to "ACMEs chep disk blanking operation" in order to save a few bucks. This is not really excusable, but it happens.
But what really gets my blood boiling are statements like the one from that PR bimbo, which are just utter bullshit.
Maybe she should apply for a job at Microsoft to sell "trustworthy computing".
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Sorry, you are all wrong...
a) you have disks silent errors (because error-correcting codes corrected them) that will copy sector data to a reserve sector without notice, that makes your old data inaccessible at software level but readable at controler level
b) you can use high resolution magnetic imagery to recover several rewrites of the same track
c) in my books, a hum is very far from random, it's predictable !!!
Physical destruction is the only reasonably secure solution.
.. are you?
:P
Would have been much easier to just have the program copy the password into the clipboard so you could paste it
CBC Radio 1 had an interview with a security representative from the bank last night on As It Happens. An audio recording of the program is available here. (It's the ninth item of the programme.)
Great minds think alike; fools seldom differ.
As appealing as physical destruction of an HD is, it is not a wise course of action. As with most electonics, HDs contain lead, glass fibers in the circuitboard, and caustic chemicals in the electrolytic capacitors. And I have no idea of the potential toxicity of the materials coating the platters or used in the rare earth magnets in the actuators and motor.
Turning data into dust creates an environmental hazard. Therefore, it's better to send old electronics to an institution that has the tools and procedures for safely recycling/recovering/reprocessing the materials in the HD. Yet we obviously cannot and should not enrtust these companes with our sensitive data. That is why some form of encryption (either in hardware or software) is the solution to making the data unrecoverable.
Two wrongs don't make a right, but three lefts do.
-jls
Techno-pagan
Shouldn't customers' private information have at least as much rights as some stupid Brittany Spears song?
Modern hard drives have commands "SECURITY ERASE" and "ENHANCED SECURITY ERASE". Search for those terms and hdparm on google. Also below is a link to the quality of the erasure. Note: these will erase even bad "mapped out" sectors. Enhanced erase will even go off track + and minus which erases the edges. atapwd.zip does regular erase (search).
E ra se%20Article%20for%20IDEMA,%20042502.pdf
http://www.tomcoughlin.com/Techpapers/Secure%20
It's a shame that there isn't a Linux program that does something similar.
Others have mentioned specific utilities, but with almost any bootable CDROM Linux variant you can wipe a disk pretty throroughly as follows. This is for when you're retiring a system and want to overwrite the entire disk, not scrubbing free space on a live system:
This will write pseudo-random data over the hard drive 10 times. To make it happen more times, change '10' to 'N' where N is larger than 10 in the 'seq' command. To use true random data rather than pseudo-random, use /dev/random, but realize it may hang waiting to gain more entropy and, for this use, I'm not sure there is any real advantage in true randomness.
You can also use 'dd' on a live system, writing to a file instead of a partition, and fill up free space on that partition (then delete the file!). This will overwrite data from deleted files, but will not get slack space, which is the particular advantage of using the 'wipe' tool that someone else mentioned. Also, remember only root can fill the filesystem; everyone else gets cut off with some small % free.
Windows users should also realize that with Windows 2000 (um, SP3 I think) and above the EFS tool 'cipher' will allow you to wipe unused disk space, so that you can proactively make sure that deleted files aren't hanging around on disk. This is useful if you want to make sure old files don't accumulate on the hard drive of a working system, especially physically insecure laptops etc. etc. It presumes the NTFS file system, of course.
will overwrite the free space on the C: partition with 0s, then 1s, then random data. I'm not sure if it gets slack space.
Of course, a very slim possibility remains that sophisticated and expensive physical analysis will still recover data from disks wiped in this manner. Unless you've seriously honked off the NSA, however, these should provide sufficient protection for most uses.
There have been other posts how the hard drives should be destroyed and not wiped&sold after usage. A friend of mine once worked at a steel mill. Smashing them to bits with a hammer was not good enough - the used hard drives went directly to the smelted iron...
No risk of leaking the data through used computers.
Scarey. Humans make mistakes. Security disk cleaning should be done by robot workers run by a robotic management. A huge organization is only as smart as its dumbest employee.
I hope he got back his ebay listing fees.
I worked as a computer tech for a retail chain and they destroyed all of the hard drives with their Point-of-Sale systems for that very reason. I find it disturbing that a -bank- who would have more sensitive information than a retail chain, would just erase the data (and in this case forget too).
Bravo to them! A refreshing change from all the stories of corporations responding to security issues by shooting the messenger.
"How to Do Nothing," kids activities, back in print!
I was consulting at a community bank last spring, helping them getting ready for an IT audit by the FDIC. They were replacing some machines, and I persuaded them to donate the old ones to a local computer group who refurbishes them and places them in schools and non-profits. I could see that their IT policy manual contained nothing about even wiping drives let alone destroying them.
As soon as I got them to my office, I invited the CEO in to see how much customer info his IT department had "donated." He was, of course, shocked. The sad thing is, probably 30 people were involved in that transfer and not one of them had the slightest clue. Another said thing is that the donation fiasco was just one of hundreds of examples of failure to adequately protect the privacy of customer information.
The good news is that the FDIC is taking customer data security very serious and is coming down hard on breaches and potential problems during their IT audits and their Safety and Soundness audits. So maybe it will get better. Except we are talking about humans...
computerlady - a brand new Slash-daughter - alone, but no longer invisible, in the
Looks like they outsourced the job to someone with different priorities.
Which yet another reason why I think this outsourcing thing is overrated.
Outsourcing is just an excuse for management to sack people, temporarily cut costs, blame the resulting crappy service on "transitionary period", use the savings to pay themselves big bonuses, complete contract, leave to slash and burn another company.
The magazin CT made a test using different wipes:
1. Overwrite with zeros
2. overwrite with random zero/one
3 5 passes of random owerwrite.
Then they were send to leading data recovery firms. They couldnt even rescue data from the first disk.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
... is that when a person or organization is wrong, and defends itself, or passes the buck, or excuses itself, or goes on the counterattack, or even if their face locks up in a mask to hide their true feelings, then you know that they have not learned their lesson, and the error/offense is going to happen again.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Since I am a consultant I have a GST number.
I recently got some GST mail saying that every business in Canada needs to come up with a privacy policy. It said (something like): Privacy, its good for business.
Well that depends on your budget.
;) ), if anyone can recover data from that it'll be worth watching.
;).
I recommend sanitization by melting HDDs into a molten puddle of metal with a blowtorch or some other high temperature (if you're in Hawaii chuck HDD into lava - but make sure it ends up in the lava, and you don't get charcoaled
Sure simple overwriting may not be recoverable with a budget of up to USD10K. Or maybe even USD100K. But once you hit millions or more, they might pay a bunch of very smart people to piece together data bit by bit over a couple of years using high end microscopes. After all a high end microscope is not bound by the same limitations a HDD head has - cost, speed, precision, accuracy.
It's probably magnitudes easier if they use drive mirroring (RAID1) and you have all the drives. And y'know lots of the important stuff happens to be on RAID for some reason
If someone does all that to recover data from my HDD I'd find it funny, but if I were a Bank, I won't find it funny at all.
In many countries you need a Banking license. If you screw up this way, top people get sacked - otherwise the Bank loses the license.
Has anybody stopped to thank the kid that let the bank know? It is comforting to know that there are still a handful of people out there who are still honest.
Just my humble opinion,
SirLantos
The flying hamster of DOOM rains coconuts on your pitiful city.
Gov't employees, military personnel and law enforcement in sensitive areas have to go through a background check.
This begs the question, what sort of background checks are performed on the technicians fixing the computers? And what sort of computer security experience do they have?
I would at least expect a "student" not be employed in this type of position. Give it only to a qualified full-time employee w/ good compensation and benefits - that in itself should be a deterrent.
Just the other day, I was helping organize furniture in a community furniture bank, and we came across a dsek that was chock full of this guy's fianancial history. Bills, receipts, loans, credit card statements, everything. We joked around that we could go shopping and get ourselves a new car, had any of us had loser morals this guy would have been screwed. Just goes to show, it happens in the real world too still.
I was outraged when I saw how much they get paid! Then I remembered it's Canadian Dollars, so it's not that bad. ;)
We used to destroy HHD by letting the techs(me) go apeshit on them with a hammer, then some sandpapaer, then my supervisor would litereally wake someof them home for target practice with his .45.
THey now require the disks to be physically shredded, but i think we came pretty damn close.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Do you really believe that someone looking for a bargain computer on EBay will have access to the equipment to "use high resolution magnetic imagery to recover several rewrites of the same track" or will regularly read the disks from their recent purchases at the controller level???
You must have a higher opinion of the resources and intelligence of the average EBay buyer than I do.
And I get paid under $20K/year to wipe the drives for a major U.S. bank. The guy before me let hundreds of machines full of customer and bank info out to various schools, when I found out I had to travel all over the state wiping out computers, but who knows what made it out before I got to them.
When it boils down to it, these are ancient machines (mostly P166s and wiping a drive takes HOURS on them, and it ain't pretty work, it's dirty warehouse work and lots of heavy lifting. Nobody want's to pay professsionals $75/hr to wipe machines that stopped returning-on-investment years ago.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
Obviously eBay is liable because they failed to ensure that no banking information was available for sale on their site. Furthermore, anyone whose web site contains a LINK to an eBay page is EQUALLY liable, because linking to information is the same as hosting that information. And, since I have it on good authority that music CDs and adult videos are also sold on eBay, anyone with a link to eBay should be sued by the RIAA as well as prosecuted for obscenity if a child has access to the link.
You think I'm kidding? All this has been decided in actual court cases over the last few years. Judges with little technical knowledge, and juries with less still, don't understand the technical reasons why the prosecutor's arguments, when framed in intentionally deceptive "layman's terms," are ridiculous, and absurd case law is formed. The lawyers love this. Make the law as much of a minefield as possible. All the more business for the nationwide glut of attorneys.
What Would Jesus Do
(for a Klondike bar)?
Since the Bank is responsible to Canadians for how it uses our information, why didn't it just scrub the disks in house, even something like format c:
then send the box to the outsourcers?
If this keeps happening, you bet Canadian Bank Law will mandate they do their own scrubbing...
I've had conversations with friends who are very indifferent to the fact that various bits of information are collected here and there about them, never thinking that somehow, it could end up where they never expected it. I believe that you should treat information about yourself, about what you do, etc., with every bit as much care as you would the front door to your house. Once someone else has it, it's pretty much out of your control.
CrazyLegs
"Pork!!" said the Fish, and we all laughed.
No it seems to be plain old piss poor proceedures to me, it's not that hard to fix either.
Exactly.
I log on as root (on Windows yet). I leave my machines up and running and logged in (as root). I have systems with the user name & password (same) writ large on the keyboard. Piss poor security, yes, but at that level I'd never let a system out to scrap with a hard drive that might contain anything slightly sensitive. Since it might contain some cached profiles, this means every hard drive.
The problem with hard drives (or waste baskets) is that whoever get them can peruse them at leisure with no threat of discovery and no requirement to put things back the way they were.
pops in a linux cd
Aha. a linux cd. Which Linux cd? (wise-ass answer: bootable is better).
You can run badblocks destructive surface analysis if you've got the patience and want to ensure that the disks are good. If you're real lazy, dd if=/dev/zero of=/dev/sda, let it run for a few seconds, and odds are pretty high that noone would take the trouble to rescue all the data that's still there on most of the drive. If you've got anything sensitive, however, fragments of the data itself are useable, so you need to at least finish one complete overwrite.
This isn't complete security, but the methods of recovering further are extremely expensive and are not used on random disks. Even zeroing the front end ensures that it will take a fair amount of trouble "just to see what was on the disk". The point of security isn't that the lock is unbreakable. The point is that the lock is strong enough that it isn't worth taking the trouble to break it. That shouldn't have happened even with a total crap level of security.
How could this have happened? Is Microsoft Windows really that brain deadening?
sometimes it ends up on there from individual users' stupidity too. A friend of mine just bought a 17" powerbook off ebay a few weeks back. I was playing with it and saw that it had this guy's quicken files dating back to like 1997. It had U of Maine school/financial aid records. It had all kinds of personal documents on there. It would be SO easy to steal this guy's identity. There were SSN, DL #, bank account numbers, credit card numbers, addresses, phone numbers, EVERYTHING in one convenient location.
It just boggled my mind that someone could be so stupid as to leave that kind of thing on their computer when they sold it.
I guess there is a reason why my company destroys every computer - Cheaper than deleting the hard disk. They send it thru a smashing machine that produces bits and pieces of the machine on the other end.
It's on record that, for example, the manufacturers of DES IDE hard disk encryption cards have a backdoor inserted.
GET OVER IT!
K...THKZ!
The banks should have 0'd or trashed these drives before selling them. I see this type of neglect as soley the responsibility of the bank.
Why? Well, if you hire an accountant and don't double check his work, it's your arse. Why should it be any different with a corporation's responsibility when it comes to guarding customer data?
Personally, I would like to see more laws guarding US. Not slapstick anti-terrorism laws directed at destroying personal privacy, but real laws that protect real people. As we are the source of America's economic might. At the point where citizens don't have money to throw at giants, then the giants won't exist anymore. At least, not inside our borders.
Are you employed by the subcontractor that forgot to wipe the hard drives in the article the posting was based on?
Tech Public Policy stuff
the problem is that even with magnetic micoscopy, after 2 or 3 overwrites every bit is a educated guess. And even if the chance of succes is 95%, calculate how big the chance is to revocer a name or a credit card number without error...
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
The PHB at the small office where I work bought about 20-30 old Pentium 133 machines at auction. I bought/traded for two of them, since we weren't going to use them all at work. They still had their installs of Win95 with a NetWare client and a few company documents. Nothing very interesting, though. I still have a backup of one of them; maybe I'll look through it some more and see what I can find.
It's an operating system, not a religion.
Quote from the paper: For this reason it is effectively impossible to sanitise storage locations by simple overwriting them, no matter how many overwrite passes are made or what data patterns are written. However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive."
The program I use in Windoze to erase/overwrite files does 30 passes according to the principles set forth in the paper. If I were storing really sensitive info on it, I'd do as the Department of Defense does and physically destroy the media.
If you ever have to handle confidential information, depend on the info in the paper I linked to, not your guesses. This isn't a matter of research that needs to be done, this is work that was done years ago by people really motivated to find out the right answers.
Now, I've got to get an update for the program, which is oddly enough, called Eraser. Wish there were a Linux port.
Tech Public Policy stuff
I remember reading about some guys at MIT that made a linux CD specificaly made to find all of the drives on a machine and does a cryptographic shreading on them; just enable boot from cd in bios, popin the cd and boot the machine and it automaticaly shreds the disks by writing a pattern of zeros and other numbers to change every bit to an zero, military grade zero!
Apocalypse Cancelled, Sorry, No Ticket Refunds
Well, the demand for change has got to come from someone who has the ability to make the bank listen and act.
That would be the bank's customers.
Banking isn't the only area where this happens. I run a computer recycling biz on the sidelines to donate computers to needy organizations/kids and I have had government agencies give me computers fully loaded with super confidential information..like criminal records, medical histories, psychological profiles, login/passwords for government agencies, the list goes on and on. This is on the state level I have to say but sheesh. At least the federal government usually has the sense to pull the hard drives and erase them the good old fashioned way..with a sledge hammer.
0x09F911029D74E35BD84156C5635688C0
And I'll tell you a story about a surplus CD-ROM server containing classified discs, those went into the microwave and subsequently into the dumpster.
But that can't beat the much more recent pallet of misc that contained an entire file box with names, addresses, ssn's, signatures, medical records, and retirement plan contributions for about 200 teachers at a public school district. That recently went to the landfill.
A percentage of the people that are responsible for security in large institutions and organizations are evidently impossibly stupid. It's a big enough percentage that I've run into these two whammies personally.
Scary.
You can buy a bulk eraser for disk drives. It's just a big AC electromagnet in a box. It erases the prerecorded control tracks, as well as the data, so the drive becomes useless.