Not-So-Clean Hard Drives For Sale

Saeed al-Sahaf writes "The Register is running a story about a security consulting company that as part of a study bought hard drives and laptops on eBay, and then was able to recover highly sensitive data including customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site. This is a bit scary considering all of these drives were supposedly formatted and sold for surplus by major companies (although few of us actually use the multiple formatting standards of the DoD). Looks like it's hardly necessary for crooks to get at your private information, although I sure industrial espionage spooks have probably done this for awhile." Shades of the recent post about recovering sensitive contents from swap partitions.

Learn something!! not scaremongering!!

[kiwioddBall]

Perhaps more useful than yet another pointless scaremongering exercise would be for the company that now owns the drives to go back to the companies that they bought them off to find out how they were erased so we could find out how not to do it, and where they were not successful in recovering info to go back to those companies to find out how they did wipe that info properly.
The point is to learn something from it.

Re:Learn something!! not scaremongering!!

[1u3hr]

Perhaps more useful than yet another pointless scaremongering exercise would be for the company that now owns the drives to go back to the companies that they bought them off to find out how they were erased

From the wording of the story, it's not clear that the drives were erased at all -- it says 'all of had "supposedly" been "wiped-clean" or "re-formatted"', which makes it seem likely to me that this is not some high tech recovery from wiped space, but simply taking advantage of negligence. Other stories have highlighted this as a consequence of outsourcing of disposal to companies which are supposed to do this before selling them, but neglect to. A company shouldn't let a disk off the premises without wiping it themselves -- it's a trivial process, as many other posts are detailing their favorite methids I won't bother. The sad consequence is that many potentially useful machines will now be destroyed out of paranoia and cosntribute to computer waste

If you're really paranoid about your data...

[WIAKywbfatw]

If you're really paranoid about your data then don't sell your hard drives, even if you have used US DoD-levels of formatting. Duh.

Rather than make a few tens of dollars selling an old drive, take it apart, and burn the platters until they're nothing more than dust. Problem solved.

I'm going to rip a line from Schnier(sp?)

[foidulus]

and say that if your company's secrets are that valuable, the safest way to get rid of hard drives is just to scrap them. Laptops are a slightly different story, but how much can one actually expect to get off an auction of an old hard drive off of ebay? By the time you figure in all the auction fees, labor to ship them etc, I would bet that the companies probably don't make that much. It might just be safer to eat the cost than to try to sell them. It all really depends on the value of your secrets.

Re:Just Destroy The fucking Things!

[neuro.slug]

Why destroy something that is perfectly reusable? We waste enough resources as it is. If anything, give them away to low-budget institutions in need. I'm sure the cost of low-level formatting a bunch of drives really isn't all that high.

Waste = bad.

-- n

Re:Active KillDisk

[afidel]

Ah, but with modern disk drives it's basically impossible to be sure that you are writing to the same physical location. The magnetic domains are so small with GMR that temperature fluctuations of just a few degrees can throw off the alignment enough to ensure that complete erasure is not possible.