A New Technique to Quickly Erase Hard Drives

RockDoctor writes "Stories about 'wiped' hard drives appearing on eBay (and other channels) and being stuffed with personably-identifiable data are legion; rarer are spy planes having to land on enemy territory, but it happened in 2001 to a US spy plane over an un-declared enemy (China, and that's a topic in itself). Dark Reading reports the development of a technique to securely wipe a hard drive in seconds, and which is safe for flying. (The safe for flying criterion rules out things like fun with packing the drives in thermite. Also thermiting the drives may not erase the platters to the standard required, which is moderately interesting itself."

First question:

[fluch]

Why wasn't the content of the harddrive encrypted?

Re:First question:

[SagSaw]

Why wasn't the content of the harddrive encrypted?

Encrypting the harddrive (which it may have been) simply changes the problem from one where you need to destroy the unencrypted information quickly and compleatly to one where you need to destroy the encryption key quickly and compleatly. Destroying the key may or may not be any easier that destroying the data depending on how it is stored. Also, even if the data is encrypted and the key compleatly destroyed, you probably still want do destroy the encrypted data. After all: How sure are you that your enemy hasn't found a way to break your encryption or somehow obtained a copy of the key?

Re:First question:

[bwd]

I would imagine that the plane was recording enormous amounts of data, both video and otherwise. Streaming all of that to a satellite in real time would not be practical. I'm sure that those large spyplanes were recording significantly more data than a predator drone.

Re:First question:

[Takumi2501]

In most cases, I would tend to agree with you.

At the present level of computing technology, a brute force attack on such a key would take waaaay too much time to be practical, but you have to consider the length of time that you want to keep this data secret, and how much processor speed will improve within that time span.

Damn you Moore!

Note: Yes I know that Moore's law refers to the compexity of integrated circuits, and not their speed.

Re:First question:

[gweihir]

It probably was. Encryption can be broken. Always. Doesn't matter how strong.

Heard often, that is an urban myth and nonsense. There is proven secure encryption that is impossible to break, unless the assumption that you can generate secure (i.e. random) keys and some other very simple ones are wrong. ElGamal has this property. Even for less secure ciphers, the statement is untrue. Sure, a single cipher may have weaknesses that may allow a break with high (and often prohibitive) effort. Just use two different ciphers with independen keys and the problem becomes exponentially more difficult since you now need to find a joint vulnerability.

Of course there is a lot of bad encryption on the market, like home-brewed, not peer-reviewed ciphers. Ciphers are also often used in an insecure way, see, e.g., the very good ECB example here: Wikipedia

But the basic problem can be solved. There is just a lot of ignorance.

Re:First question:

[dhasenan]

At the present level of computing technology, the expression "billions of years" pales in comparison to the length of time required to brute force a 4096-bit key.

Given Moore's law, and assuming it holds beyond physical limits, the expression "billions of years" accurately describes the length of time required to brute force a 4096-bit key.

Given the possibility of quantum computing, the only thing you can do is use one-time pads for all your needs, provided you need these things to stay secret for more than the 50-100 years required to develop quantum codebreaking systems.

Now, that solution is quite feasible, but time-consuming. Here's how you'd do it:
1. Have a secure [D]RNG fill a hard drive to capacity. Copy that to the plane's hard drive.
2. Have a filesystem that writes raw data to the disk--you only want one file containing all data that's collected, and that should be append-only.
3. Instead of simply writing data, XOR the block you're writing with the one that's currently on disk.
4. Once you're back on base, another XOR gets your information back.

Re:First question:

[DrAegoon]

The one time pad idea has merit, but there are a number of problems with it. First, there is the logistical nightmare any one time pad system causes. Since each pad can only be used once a new key must be produced for every hard drive on every mission. Securely distributing all these keys brings up the same problems as protecting the data itself.

These problems can be addressed, but a one time pad cannot prevent the problem in the article since it only works for data produced while in flight. It is far more likely that highly classified data is being carried on a plane like this because it is neccessary to complete the mission. In order to access the data you would need to take the key with you and then you're back to square one because the drive containing the key still has to be destroyed in an emergency.

Finally, since the data is so important to the mission, it needs to be stored on media that is resistant to accidental modification. The device described in the article is meant to address the conflict between the robustness needed to survive a mission and the volatility needed to destroy the data in an emergency. This problem also applies to any in-flight encryption technique where a key is needed to read the data. Even if the key is not stored on a hard drive it has to be stored on something that is resistant to accidental loss.

The product sounds ridiculous because no one outside of government is trying to protect their data from an adversary with effectively unlimited resources. The military doesn't have the luxury of assuming their adversary won't take an electron microscope to the drive to recover overwritten data or determine which bits have been switched from their previous state. That's the kind of threat the technique in the article is meant to address.

Why not use flash memory?

[Richard_J_N]

Wouldn't it be easier to use a flash memory chip? It's unlikely that more than a few GB would be needed. And destroying a flash chip is much easier.
Or, just encrypt the data with the key in RAM. (Linux can already do this with swap - it's completely transparent to the user, and the key only lasts as long as the system remains running).

the product is stupid

[r00t]

Normally the hard drives just go into a grinder or furnace. Sure, that won't suit an airplane, but neither will a bulky magnetic device that weighs 125 pounds per hard drive. (can't just have one because the drive has to slide right in)

The obvious solution: encrypt everything that hits the disk, keep the key in RAM, and overwrite the key when needed.

I'd worry the most about antenna shapes and sizes and various analog circuitry.

Re:Erasing, not Voodoo

[ArbitraryConstant]

If data can be recovered after fewer wipes, the people capable of recovering it certainly wouldn't advertise the fact. Extra passes are cheap, the costs of someone recovering data might not be.

Of course, the bad sectors that get transparently reallocated leave dead sectors that can probably be recovered and would not be wiped with stock firmware, so it's academic anyway. If you can't take that risk, you have to turn the media inside the drive into molten slag. There's no other way.

Re:What a crock...

[LWATCDR]

You forgot that the plane wasn't over China but was in international airspace when it got hit by the Chinese jet. You got to love the Chinese claim that a 1950's turbo-prop airliner managed to ram a supersonic jet fighter.
Those guys are a laugh riot.

Re:Joe does it

That is mostly urban legend. There is a theoretical possibility that overwritten data could be reconstructed, even several layers "deep", but in practice there is no commercially available service capable of that stunt. If you know of one, name it (with references that they can do it). If they could do it, they would have to have technology available which could instantly multiply the space on these platters. It's not just a matter of having a reader with twice as good a SNR as a standard RW head. The writing harddisk doesn't just add signal, it also adds noise. The SNR on the platter will be barely good enough to read the signal of the last write. Otherwise the harddisk manufacturer could have made a bigger harddisk at the same price. The economics of the situation make recovering a previous write unlikely. The real problem with deletion by overwriting data is that it is really slow. It takes hours per disk.

Instead of worrying about residual magnetism which can at best be detected by government agencies with extreme funding, people should simply never write unencrypted confidential information anywhere. This also protects you in cases where you didn't schedule the removal of a harddisk, i.e. theft.

Re:Joe does it

Threat is combination of assets and risks. The amount of risk is often a funtion of the value, or percieved value, of the assets, but that generality is proved invalid when bored kids are involved, or the attack is particularly simple.

In term of data on hard disk, there are three circumstances. First, a person may not protect the asset, i.e. not erase the hard disk, and a bored kid then rummages throughthe harddisk. Second, a user may not understand what erase means. There was a time when erase simpley meant change a bit in the file table and mark the space as free. Unerase was then simply a matter of resetting that bit, and then seeing what data as left. Again, the bored kid would unerase and rummage. This has gotten better with the two stage trash can/erase, but can stil be a problem. Both of these are simply solved by a hard disk wipe, as the bored kid will not spend hours with a hard disk, especially when the asset is of no value.

If the asset is of value, all bets are off, and the third case is in effect. If the data is of value, or is incriminating, then the scenario of the parent takes effect. Risk is increased not only because exposure has personal consequences, but there is a specific attacker looking for specific things. In the case of the story, the specific attackers has significant resources to throw at the problem. This was not some bored kid or some local PD on a fishing expedition. Therefore any shortcut trick that did not destroy the integrity of all the data would be insufficient. The attacker has at lesat the resources of the defender. This is the same problem with missle defense. Defense is much more difficult because it must defend against all threats.

So the permamanent magnet seems effective and elegent. It does not require the vaguaries of matching a wipe with specific recording formats. It restores the suface to baseline radomness, perhaps for real. Even normal destruction is often insuffiecent. I once heard a story where to destroy a secret paper one had to burn it, crush the asses, blend it in water, dye it, and who knows what else.

Sounds fishy to me

[gweihir]

Degaussers are nothing new. But there is no need to use them. Encryption does the trick as well. Just erase the key securely and you are done. If the device that the disk is installed in does not support encryption, then develop a module that sits between disk and device and encrypt on that. Attach a switch that triggers key erasure.

There is a second problem with degaussers: You have to physically remove the disks from their housing. That may take more than minutes.

And there is a third problem with degaussers: You have to very carefully check they work with each device they are to be used on. For example, older degaussers do fine for older disks, but are completely useless for modern ones.

And a 4th problem: Degaussers do not work at all for solid-state disks. Since they are not that uncommon in military application and actually may look the same, that seems to be a serious problem. One that encryption does not have.

I see one advantage for the permanent-magnet solution in military application: It works without power. But if you use the encryption-in-the-cable approach I described above, you can keep the key in a battery-buffered memory chip and erase that securely using the power of the battery (not quite as simple as it sounds, but it is possible to do). All in all, this mainly seems to be a scheme to sell the military something expensive.

correction

[slashdotnickname]

it happened in 2001 to a US spy plane over an un-declared enemy (China, and that's a topic in itself).

This is offtopic, although a more interesting topic than "wiping data", but the plane itself was over international waters and never over China's territory.

Also, since when does spying require a declaration of war? The whole point of spying is to aid in deciding-the-need-for or course-of preemptive actions. Given the Chinese government's penchant for secrecy and censorship, it seems fair to want to keep an eye on them. The same point can be made about spying on any other country... everyone knowing what everyone else is doing has a stabalizing affect. All bad decisions are made in fear, which brought on by ignorance, and governments, whose decisions affect millions, need all the tools possible to make correctly informed decisions.

Not in your wildest dreams.

[Ivan+Matveitch]

Good trade relations with the United States are critical to the party's survival. If western markets became inaccessible and foreign capital fled, growth would falter, internal tensions would mount and the legitimacy of the party would soon be questioned. In any case, a global hyperpower can do just about anything it wants: weaker states must submit to its overwhelming might. And none of these rulers seek justification in your eyes.

China??

[nephridium]

rarer are spy planes having to land on enemy territory, but it happened in 2001 to a US spy plane over an un-declared enemy (China, and that's a topic in itself)

What's with all this hate mongering against China? Why was this totally OT snippet even up there anyway? To keep us reminded that there are "bad guys" out there and when we think about harddisks we also should be completely aware that we should be afraid, very afraid of an "undeclared" enemy?

China may have different attitudes and morals standards than the US, but they are doing many things right as well; more than western media tends to portray (e.g. according to the CIA world factbook China has a lower percentage of citizens suffering from poverty than the richest country in the world (namely the US)). I don't want to whitewash anything, but reading things like "undeclared enemy" in a tech article on an international website just pisses me off.

Re:China??

[dave1212]

China is the biggest threat in the world to these rights.

Funny, I was sure that was the USA. Clean up your own damn backyard before focusing on other people's problems.

Re:China??

[Beryllium+Sphere(tm)]

>>rarer are spy planes having to land on enemy territory, but it happened in 2001 to a US spy plane over an un-declared enemy (China, and that's a topic in itself)
>What's with all this hate mongering against China?
When your spy plane is making an emergency landing because another country's fighter just rammed it, it does take a while to start thinking of that country as a friend again.

China is not an enemy

[linuxrocks123]

> ...undeclared enemy (which is China, and that's a topic in itself).

China is not an enemy. We buy a ton of stuff from them. They buy a ton of stuff from us. Our businesses have offices there. Our colleges have exchange programs with them.

Yeah, our diplomatic relations are a little bit strained over things like Taiwan, but we're nowhere near going to war with them. If you're a troll, shame on you. In any case, shame on the Slashdot editors for choosing this ignorant or trolling person's story.

Re:There's powerful and then there's powerful...

[Dining+Philanderer]

Holy crap dude, If you hate porn pirates then you hate EVERYONE!!!

Re:What a crock...

[LWATCDR]

Umm... And your point is?
Yes Francis Gary Powers over flew the Soviet Union and was shot down. Never said he didn't
The EP-3 was in international airspace and was rammed by a Chinese fighter.
How is one anything like the other?
BTW according to international law it is illegal to shoot down an aircraft just from intruding into your airspace. There has to be a clear threat involved. Every attempt has to be made to contact the aircraft and to escort the aircraft to a landing field. There is an entire protocol worked out.
Russia did have at least a marginal case that the U-2 was a threat since it was so far in it's airspace and overflying military sites.

Re:you read the article more closely!

I actually noticed the part about the drive being automatically pulled into the device. I assumed this meant that someone would eject the drive from whatever console it was installed in, stick it into a slot with warnings and yellow/black striped tape around the opening, and the motor (or hand crank) would draw it in past the magnets. It's possible that the intention is for one of these to be installed behind every hard drive in the plane and for them to get sucked in automatically, but the article isn't specific enough to say either way. Maybe someone will be yanking drives. Unless of course you have information outside of this article that is more specific???

Re:Joe does it

[Mr.+Freeman]

Actually, people do know. They've tried it and it works. People have been able to recover data up to something like 2-4 overwrites and it's theoretically possible up to something like 5-7. However I believe this "theoretical" limit requires millions of dollars in technology.

Re:Erasing, not Voodoo

We are now at a point where companies change the way the magnetic domains are arranged on the platter to increase storage density. This means that mechanical precision and magnetic head SNR were not the limit to smaller domains. It was a physical limit of longitudinally arranged magnetic domains. PRML is standard. Harddisks have not written "clear fields" in a long time now. IOW, if there were a way to read overwritten data, harddisk makers would use that way to increase the capacity of the drives.

Re:RISK of quantum computing taking off

[stoborrobots]

in the real world the data you send does not has many possible outcomes and many of those very few are legitimate. If you try 600 times and you get the text:

oyioa2dsi5fuso
nbvsouydgfvs4f
attack at dawn
90s8 asd0shdks ... etc

I think it's pretty clear which is the correct messae

The way that one-time-pads work, if "attack at dawn" is a possible result, then so are:

attack at dusk
eat more veges
Where's Waldo?
hoist the sail
What you say!!
Zerowing Rules
Do you get it?
search google.
Cryptonomicon.
This is ending
Game is ending
Fire is ending
Heat is ending
What is ending
Iraq is ending
USAF is ending
It isnt ending

Now, which one was the correct decryption?

The reason a one-time-pad is "completely unbreakable", even resisting brute-force cracking, is that every possible string of length X is a valid decryption result for some key. So without knowing the "correct" key, it is impossible to recover any part of the plaintext. The four character ciphertext "sjrw" could decrypt to any of the following strings, even if you found my working paper and were able to deduce that the first two letters were "go":

golf, gods, gore, gold, gone, gout, goal, goad, goat, gosh, goog, go.., go??

No plaintext has higher probability than any other of being correct...

Re:Joe does it

[zaphod_es]

You may be correct but you are only talking about current technology. When you are dealing with the most sensitive data involving governments and the miilitary you have to be pretty sure that the data cannot be reconstructed in five or ten or even fifty years time. Some of the more extreme suggestions for destruction of disks do not seem so silly in that context.