Slashdot Mirror
Not-So-Clean Hard Drives For Sale
Saeed al-Sahaf writes "The Register is running a story about a security consulting company that as part of a study bought hard drives and laptops on eBay, and then was able to recover highly sensitive data including customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site. This is a bit scary considering all of these drives were supposedly formatted and sold for surplus by major companies (although few of us actually use the multiple formatting standards of the DoD). Looks like it's hardly necessary for crooks to get at your private information, although I sure industrial espionage spooks have probably done this for awhile." Shades of the recent post about recovering sensitive contents from swap partitions.
Perhaps more useful than yet another pointless scaremongering exercise would be for the company that now owns the drives to go back to the companies that they bought them off to find out how they were erased so we could find out how not to do it, and where they were not successful in recovering info to go back to those companies to find out how they did wipe that info properly.
The point is to learn something from it.
If you're really paranoid about your data then don't sell your hard drives, even if you have used US DoD-levels of formatting. Duh.
Rather than make a few tens of dollars selling an old drive, take it apart, and burn the platters until they're nothing more than dust. Problem solved.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Personally speaking, I've never given away or sold a HD in my life... not that I'm paranoid about what might be on it, I find it a good practice to use em until they die, even if it's only a few extra gigs.
Help Brendan pay off his student loans
and say that if your company's secrets are that valuable, the safest way to get rid of hard drives is just to scrap them. Laptops are a slightly different story, but how much can one actually expect to get off an auction of an old hard drive off of ebay? By the time you figure in all the auction fees, labor to ship them etc, I would bet that the companies probably don't make that much. It might just be safer to eat the cost than to try to sell them. It all really depends on the value of your secrets.
to sell old hard drives on eBay? I would think the cost of handling the entire transaction would cost more than the selling price of some old drive.
My organization disassembles the drives and incinerates the platters. I'd like to see anyone get data from them.
Why destroy something that is perfectly reusable? We waste enough resources as it is. If anything, give them away to low-budget institutions in need. I'm sure the cost of low-level formatting a bunch of drives really isn't all that high.
Waste = bad.
-- n
Ha, yeah right. I'd like to see someone who's played with hard drive magnets and not *at least* pinched themselves really good.
I remember when legal used to mean lawful, now it means some kind of loophole. - Leo Kessler
Ah, but with modern disk drives it's basically impossible to be sure that you are writing to the same physical location. The magnetic domains are so small with GMR that temperature fluctuations of just a few degrees can throw off the alignment enough to ensure that complete erasure is not possible.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
maybe horse porn lovers like garage sales? or, much more worrying, a much larger % of the pop than we thought. is into horse porn. thanks for the comic goldmine of a post btw.
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
> That is only gratis software, so you really don't know how well it works, if at all. A better choice is Eraser, it is GPL [gnu.org]ed.
What The HELL does a program's license have to do with its quality? Geez, talk about GPL zealotry!
- for N in 1 2 3 4 5 6 ; do
(- echo pass $N
.. `date`
donedd if=/dev/urand of=/dev/hdc
For those of you who don't have Linux, a copy of Knoppix will do fine, as will using the first install disk of most distributions, and going 'Linux Rescue"
(i've tried this on RedHat.. I'll presume that others have something similar).
Many distributions now also have the 'shred' command which does a (much) more organized version of the same thing.
Oh, and did I mention "Backup any data you want to keep before trying this"?
Free Software: Like love, it grows best when given away.
Its not about the licesne you dolt, its about source code visibility. If you can't see the source code, then you can't easily sure what the program is really doing.
At least some companies don't take any kind of risks. A friend of mine, who works in a security complany, told me he often get assigned to take a big load of computers, often fairly new ones, to the dump, and there, using a sledge hammer, destroy all components in the computers, including the hard drives.
Hearing about such things makes me angry, since all those computers could have been put to good use. If sensitive information really has to be stored in a computer, then they should take the precautions first, and use good encrypted file systems.
And who has the duty of witnessing this procedure?
A policy is only as secure as the people carrying it out.
The parent poster had it right:
.ca govt usage, and they came up with allowing any non classified PC to be recycled. But they also laid out destruction requirements (how small the remaining debris must be) for classified and higher pcs.
basically, the theory is that if the heads are slightly off, the drive may still work fine, but the data is written slightly off as well, such that traces of the data exist due to slight magnetic remnants. this theory thus is that drives must be destroyed to be secure.
most high security orgs feel the same way - IIRC, the Royal Canadian Mounted Police put out a doc for
ostiguy
Last think I want is HIV or some nasty cuts from broken glass or metal shit.
Phone handsets or doorknobs are generally *far* worse from a sanitary perspective than just about anything else. All the communicable respiratory diseases have been nicely cultured on the doorknobs by people sneezing on their hands and then operating the knob.
Heck, your ancestors survived tromping around in the mud, barefoot, getting stabbed, clawed, bitten, stung, and so forth. You have an immune system and regenerative abilities that are awfully tough to muck with. Now, *cars*...*cars* are scary. Not many people die each year from scorpion bites, but tens of thousands of people die each year from auto accidents in the United States. And you probably have a road out right in front of your house!
As Neal Stephenson put it -- you're a stupendeous badass. You come from a long line of stupendous badasses. Anything that wasn't a stupendous badass is now dead.
May we never see th
I just had an idea: If the data is so incredibly vital, if the data would cost a company millions if released, if the passwords would let anyone gain access to the system... why not just lock up the hard drives in a vault, or perhaps physically DESTROY them. After all, the cost of not selling those drives compared to the prevention of secrets/passwords being released is minimal! Then again, if someone wants your data, they'll get it by any means possible, so you are screwed either way.
...note i said "we're not military". still, it completely Shatters the Platters (StP) which is what counts. good luck to the NSA if they want to get that data back again.
for the more paranoid, simply increase the number of holes.
a power drill's a lot cheaper than a degauser, and *every* techie can find a use for a powerful cordless drill hanging on the wall, even if it's only for threatening lusers.