The Great Zero Challenge Remains Unaccepted

An anonymous reader writes "Not even data recovery companies will accept The Great Zero Challenge and only four months remain! We've all heard how easily data can be recovered from hard drives. We're told to make multiple overwrites with random data, to degauss drives and even physically destroy them just to be extra safe. Let's get the word out. The challenge is almost over! It's put up or shut up time. Can you recover the data?"

Do many companies really do EFM recovery?

[DigitAl56K]

Based on nothing more than personal suspicion, I think many professional recovery firms may be in the business of simply running expensive tools that scan through the partition and file table area and perhaps even the entire disk to locate data that has either been marked erased or had references removed (for a full disk scan) and then restoring it. Perhaps they'll also move the spindle from a dead drive into a new case to complete the operation, but I doubt there are many companies that will actually do electron force microscopy for you and even fewer that will do it at anything other than an astronomical fee. Powerful recovery tools can be purchased for a few hundred dollars now anyway. My opinion is that the recovery business is a focus around confidence that a professional will be doing the recovery and that you or your employees won't worsen the situation. In the event that a drive with critical data fails and you don't have a backup, who wants to be the person responsible for damaging the disk during recovery?

Anyway, IMHO this whole debate should be moot by now. If you want to secure your drive use full disk encryption (now freely available in TrueCrypt) and when it comes to destroying the data just overwrite the header area a thousand times with random garbage. It will take only a second or two, and the whole drive will be useless to anyone.

Of course it would also be nice if more manufacturers were producing encrypted disks as standard with verified schemes (there have been some lemons purporting to be secure that really aren't) so that we wouldn't have to do encryption in software.

Re:Do many companies really do EFM recovery?

[Justus]

If you want to secure your drive use full disk encryption (now freely available in TrueCrypt) and when it comes to destroying the data just overwrite the header area a thousand times with random garbage. It will take only a second or two, and the whole drive will be useless to anyone.

Except, of course, that the point of the challenge is that instead of encrypting and whatnot (which can be a good idea for other reasons, but I digress), you could just overwrite the drive with 0's once and dispose of the drive safely. This is most likely substantially faster than what many people propose, like overwriting many times or physically destroying the disk.

However, I think their methodology is pretty flawed. The reward for completing the challenge is $40 and the drive itself (which is worth $40-60). You also have to pay shipping, which will run maybe $10-15. I know that it's really not worth it for me to spend any time trying to recover the data from the drive—probably a fairly lengthy process—just for $85.

Re:Do many companies really do EFM recovery?

[arth1]

The conditions are also made to trick ignorant journalists. Anyone knowing a bit about file systems know that being able to restore some data from a drive is a heck of a lot easier than being able to restore file names, which they demand. Not only do you have to be able to restore the sectors that contain the file name metadata, but you need knowledge of the file system in question, and how exactly it stores its file names. If it's stored in byte swabbed format, you won't even recognize it as a file name.
Try to do a dd to a file of a working partition and then extract the file names from it. Unless it's a DOS partition or other ancient format, it's not easy, and that's with no zeroing.

Yes, the "contest" is a farce, and any company that enters into it will lose credibility just by entering.

Re:Do many companies really do EFM recovery?

[cduffy]

Everything that 'might' happen is a security risk. If you think I'm being an alarmist, then stop thinking about security. It's necessary to talk in such absolutes. Using a random garbage writer is, well, random. With random, there's almost no chance of it happening. On the other hand, using straight zeroes, it's not possible to recover data from a disk full of zeroes at all. No multiple obsessive compulsive garbage writing necessary. Simple, elegant, and true.

You're absolutely right that we're talking big brother paranoid level security -- but if you write straight zeros, and writing a zero makes 1->0.05 and 0->0, it may be possible to tell the two states apart. As binary as the data may be, it's still getting written to a physical medium -- and the Real World lives in analogs. Even were this true, however, writing multiple passes of garbage would prevent an entity able to distinguish 0.00 and 0.01 from being able to determine the media's prior state -- and that's the whole point of this operation. Claiming that writing multiple passes of random garbage (or, better, patterns selected to-purpose -- see the Gutmann method) is somehow worse security than a single pass of zeros is complete bunk; the likely case is that it simply doesn't buy anything worthwhile at all, at a cost of time and electricity.

That said -- absolutely, this isn't a likely attack; if there were a cheap way to make equipment which could read data with that level of precision off of magnetic platters, we'd be using it to make higher-density magnetic platters... and tolerances for how the data is written to those platters is much, much lower today than it was twenty years ago. (Against a twenty-year-old hard drive, I'd expect the chances of someone with a STM and a lot of time to actually be quite good).

Re:Do many companies really do EFM recovery?

[Tassach]

Data destruction can be trivially achieved with just dd and /dev/null

You ALMOST got it. Data destruction can be trivially achieved AGAINST TRIVIAL ATTACKS with just dd and /dev/zero. There are quite a few published papers on how to recover data from a zeroed hard drive -- attacks that are a LOT more sophisticated than plugging the drive in to a working system and running a piece of software. These attacks aren't easy and do require special equipment and actual knowledge of ELECTRONICS ENGINEERING, not just general computer geekery.

As a side point, it's /dev/zero, not /dev/null. cat /dev/zero (or /dev/random) spews forth a never-ending stream of bytes. cat /dev/null returns zero bytes.

Re:Do many companies really do EFM recovery?

[arth1]

That doesn't explain exactly how it stores the file names. The onus is on the one doing the recovery to find that out, which is unreasonable.
If you manage to recover a few thousand humanly readable words, how are you to know which ones of those are file names, which ones are part of other metadata, and which ones are data, without being an expert in the file system in question?

(Also note that different version of NTFS may behave differently -- the position of the metadata on the disc, for example, has changed.)

Re:Do many companies really do EFM recovery?

[Deagol]

Got cites?

I know of the original Gutmann paper, his follow-up debunking the "magical" 35-pass requirement, and then there was a dude who tried (unsuccessfully) to track Gutmann's original source material to see if any *real* data recovery had actually been done. This topic really interests me, and I've yet to find *any* evidence that data simply overwritten with zeros has *ever* been recovered (even partially) from modern hardware that even Gutmann himself feels is pretty immune to such techniques, given the density.

As illustrated in the old humorous "Physics Warning Lables" piece:

Advisory: There is an Extremely Small but Nonzero Chance That, Through a Process Known as 'Tunneling,' This Product May Spontaneously Disappear from Its Present Location and Reappear at Any Random Place in the Universe, Including Your Neighbors Domicile. The Manufacturer Will Not Be Responsible for Any Damages or Inconvenience That May Result."

Likewise, it's *theoretically* possible that such low-level magnetic scanning voodoo could recover overwritten data, but real-world evidence thus far has been nil. As others have pointed out, if such equipment sensitivity were feasible, then that technology would have been used to increase HD data density. In addition, if such techniques were truly feasible, any company that could do it would have enormous fame and financial success.

It's a shame that this particular "challenge" was so piss-poorly implemented. Maybe James Randi should put up some cash for such data recovery, as it pretty much can be filed under the "paranormal" category. :)

Re:Do many companies really do EFM recovery?

[Tassach]

Because the offered reward is not worth the effort. The guy's a nobody, and the price is a joke. If it were a major university or an individual of some note in the information security community who were sponsoring a contest, then it might be worthwhile. Some nobody with an obscure blog? Give me a break. Even if I still had access to a fully-equipped electronics lab, I've got better things to do with my time and $60.

Re:Do many companies really do EFM recovery?

[Hal_Porter]

Except that in the real world the FBI bust you because they have other evidence. If your Truecrypt partition doesn't have any trace of the stuff they know you've done they'll know it's the outer one, not the inner one.

The best way to avoid this sort of thing is to not do the sort of things that cause the FBI to go after you in the first place and not try to use your intelligence as a way to be completely immoral. Because we all know how well that worked out for Hans Reiser.

Wow, what a prize!

[Dahan]

So the prize for winning is a $60 hard drive, plus $40? Damn, I don't know why people aren't just jumping all over that!

Also, disassembling the drive is against the rules of the challenge, unless you're a "established data recovery business ... or a National government law enforcement or intelligence agency".

This "challenge" is stupid.

Re:Wow, what a prize!

[agurk]

Actually they also ask you to tell how you did it. Even though they claim it is not a scam it seems like a scam in the sense that they after this weird experiment have proven that recovery is impossible.

It is like me setting up a challenge - can ketchup stains be removed from my white t-shirt?

Send a self-addressed, postage-paid box you pay shipping both ways with packaging material to the address listed below along with a sixty $60 USD deposit United States Postal Service Money Order only and I will mail the t-shirt to you.

If you can remove the stain you get to keep the t-shirt and I will give you the amazing amount of money $50 and the right to become "official stain remover". Btw, if you can't prove you are a established ketchup removal business - you cannot use water or any other fluid.

If this challenge is not taken within a year I have the right to tell the world that the worlds dry cleaners can't remove ketchup stains. The whole clothes cleaning industry is a hoax.

Re:Wow, what a prize!

[Renraku]

The challenge isn't stupid, the rewards are.

If this were an X-prize type of deal, it'd be a lot better. Who's going to bother with EFMing a drive for $40? I guess some college students with access to those machines might, but those are very fickle and easy-to-fuck-up machines..aka..kept under lock, key, and password.

Jeez

[trifish]

Interestingly, the most important thing is missing from the summary -- the prize. So, what the prize is you ask?

An incredible, unbelievable, astonishing and amazing amount of... wtf... fourty (40) US Dollars? Yes, you heard that right! No wonder nobody has shown any interest in participating.

Full quote from the site: Should someone win, they get to keep the drive. They also will receive $40.00 USD and the title "King (or Queen) of Data Recovery".

Re:Jeez

[7+digits]

> Interestingly, the most important thing is missing from the summary

Not only that, but also the fabulous restriction:

"You may not [...] disassemble the drive"

This is ridiculous. A drive overwritten with zero data will, by definition, returns 0s through ATA commands. The reason why some people overwrite sensible data several time is to guard against a possible scanning transmission electron microscopy, which, of course would need the disk to be disassembled to be performed.

How can this ends on slashdot ? Don't know...

Where are the challengers?

[phantomfive]

Ugly unprofessional website, a prize purse of $40USD (plus the hard drive), restrictions that the drive can't be disassembled.....I can't imagine why they're having trouble getting interest. Raise the purse to $10,000 and you might have something.

In addition, according to Wikipedia, what he proposes is actually impossible, at the very least an electron microscope would be needed.

Can't say I'm entirely disappointed by this story, though. At least I learned something that I was ignorant of before.

Utter stupidity

[Reality+Master+101]

First of all, do data recovery firms ever *claim* they can recover from a zeroed drive? No, they don't. The claim is that government-level forensic analysis *might* be able to recover data with only a single overwrite, with very sensitive expensive equipment. Not terribly surprising the FBI wouldn't take them up on this challenge.

Second of all, someone is supposed to waste a lot of time and money for just a cheap drive and a piece of paper from some entity no one has ever heard of?

And they're doing this to "prove" that this type of data recovery can't be done?

This has to be the lamest challenge that's ever been issued.

I think you got it at the beginning.

[khasim]

It's about money.

Since the "reward" offered seems to be less than the regular fee that a company would charge for such, why would any recovery company waste resources on it?

Re:I think you got it at the beginning.

[gEvil+(beta)]

That was my thought, too. Reading through the challenge page, all I could think was "a whole 40 bucks?!?" I mean, even if I could do it, I'm not sure I'd waste my time for 40 bucks and the title of "recovery king".

Re:I think you got it at the beginning.

[dotgain]

If my interpretation is correct, you're still $20 behind (unless you actually value an 80GB drive), since if you win you get to keep the drive, but apparently aren't refunded your $60 deposit. This was exactly why I read the article - and when I found out what's at stake I thought it pretty obvious why even ten-year-old johnny with his hex editor haven't entered - this is the most pathetic competetition I have read of in all my time.

Re:challengers

[anagama]

The challenge does not seem well designed. First of, the person attempting it has to pay postage both ways, deposit $60 with the organization hosting the challenge and forfeit the deposit if the drive is not returned in the same condition as it was when sent (how are you going to use a scanning tunneling microscope if you don't take it apart), they only get three days, and the reward is a whopping $40.

Non-challenge

I would guess that lack of measurable incentive to do the recovery is what they are seeing. why the hell would a professional bother doing this for $40? I know I wouldn't. Put up some real money and your data will be recovered in no time.

why would anyone do this?

[mrvan]

Okay, here are my 3 reasons why a company would not accept this challenge:

(1) economical:

- I am asked to mail 60 USD to a random address, who claim they will return it to me if I send the harddisk back. This is a risk (how do I know it is not a scam?)
- In any case, I lose shipping charges both ways
- Maximum gain is 40$, plus an obscure web site calls me King of data recovery.
- Risk + Cost >> Gain

(2) International

I am asked to ship a US Postal money. A WHAT? Hello, creditcard? Paypal? Normal internaional cheque?

(3) Disassembly

All reasons I've heard for doing something more than dd is that there might be residual magnetic charge on the platter that is ignored by the filesystem. According to the rules of engagement, only some weird collection of institutions ("established data recovery business located in the United States of America" or "National government law enforcement or intelligence agency (NSA, CIA, FBI)") may disassemble the drive. How am I going to detect residual charge if I cannot disassemble it?

The last arguments compounds the first two, as only US Companies can disasseble, and disassembly voids the deposit, meaning I am certainly out 60$.

Next time that they want to be "noble and just to dispel myths, falsehoods and untruths", they should make a challenge that is actually interesting to any party to pick up.

From The Experts

[randomc0de]

Given my general level of paranoia, I recommend overwriting zeros, and five times with a cryptographically secure pseudo-random sequence. Recent developments at the National Institute of Standards and Technology with electron-tunneling microscopes suggest even that might not be enough. Honestly, if your data is sufficiently valuable, assume that it is impossible to erase data complete off magnetic media. Bur or shred the media; it's cheaper to buy media new than to lose your secrets.

Because all data recovery companies have electron-tunneling microscopes on hand for recovery and aren't just running a Linux distro with a modified ext3fs to ignore "deleted" inodes. The longest AES key I've cracked is 28 bits (in Python, no less!). Yet we still use a minimum of 128, more likely 256. It's not the guys running recover I'm worried about. It's the spooks with electron f'ing microscopes and a direct connection to AT&T.

Not so.

[Jane+Q.+Public]

If you were a data recovery company, you would gain an ENORMOUS reputation if you were to complete the challenge. And the cost? Shipping.

That is the cheapest publicity they would ever receive... and what publicity they would receive!

Re:Not so.

[DigitAl56K]

That is the cheapest publicity they would ever receive... and what publicity they would receive!

Yes, what publicity they would receive? :) I've never heard of 16systems.com before, their site is barebones with almost no articles. I dare say they caught a lucky break with this Slashdot article. Maybe I'm wrong, but it seems that there is no obvious publicity to be had (before now). And should recovery firms respond to everyone with a small website who issues a challenge?

Re:Not so.

[Henneshoe]

I hope that was sarcasm, because really who hasn't heard of 16systems.com and their (not so) great challenge. The publicity from winning this is next to nothing.

it is PR

[someone1234]

1. if you don't accept this simple the challenge, you definitely scam your customers. Some will take notice, and you lose more.

2. if you accept the challenge and WIN, then you get free advertising. (If you accept but lose, you still get some bad PR, but at least you can say the drive was fake).

Re:it is PR

[arth1]

And the drive being fake is a distinct possibility here. The guy has an agenda, that's pretty clear. And where's the accountability? Why should we believe him when he says what has been done to the drive? Any more than we believe British barristers representing the late Mr. Ongopongo of Nigeria in their claims that they have some millions of dollars they want to give you?
Because we want to believe him, because his claim is very plausible? Sorry, that doesn't increase the accountability or invalidity of this "challenge".

Unless acceptable witnesses can observe (a) the original status of the drive, (b) what was being done to it, and (c) the drive being kept secure from interference from (a) onwards, it must be treated as suspect. No matter how honorable the intent is. Intent is worth shit, and any company or researcher that would be foolish enough to enter this "challenge" would be tainted with same.

Re:it is PR

[ShieldW0lf]

This is bullshit. The terms of the challenge indicate that you cannot disassemble the drive. Real life does not operate under such arbitrary rules, therefore, a failure to meet this challenge does not in any way establish that you cannot recover data from a drive that was treated in this fashion. All it establishes is that 3 random data recovery services are not confident in their ability to use the electronics integrated in the drive to recover the data off the platters. Or, they're not interested in participating in some contest because they've got paying clients to service. Can the data be recovered in a clean room with highly sensitive specialized tools? Who knows?

Re:it is PR

[KillerBob]

Bingo. It's also worth pointing out that the $40 prize offered isn't even close to the normal fees that such companies charge to do data recovery. The cheapest fee I've *ever* seen quoted for a post-format recovery was $1700, and that was a special offer being made to our customer care because of a tech. support fuckup. (they didn't tell the customer that reinstalling the OS would delete all their pictures, and the customer raised a stink).

Such a "title" as the one offered by this so-called "challenge" is hardly worth the effort expended. Especially considering that this article is the first I've heard of it... How is this Slashdot-worthy?

Re:it is PR

[Chaos+Incarnate]

There's absolutely no evidence that the drive he ships out is the drive shown in the screenshot after exactly one iteration of dd and no other operations of any kind.

Re:it is PR

[temcat]

The terms of the challenge indicate that you cannot disassemble the drive.

Have you actually read the terms?

"If the challenger is an established data recovery business located in the United States of America (We would need to see Articles of Incorporation, a current business license and one other form of business identification in order to determine that they are indeed a professional, for-profit, established data recovery business) or a National government law enforcement or intelligence agency (NSA, CIA, FBI), then we will allow these type of organizations to disassemble the drive and to keep the drive for thirty (30) consecutive days. "

Re:it is PR

[FLEB]

Well, if a firm thinks they can recover files after a one-round zeroing, they can replicate the challenge themselves, document the entire process to the proper degree, then try the actual challenge to see whether it works the same. If it isn't, it's merely a matter of producing the evidence of their own in-house success and questioning the discrepancy.

This will sound totally paranoid, but

[bill_kress]

The few people who MIGHT have the capability to look beyond what is written on the drive and see patterns remaining from previous data are most likely the ones who would prefer that the concept remain vague and unproven.

Re:Once in a lifetime marketing opportunity

[bluelip]

The folks that can do this aren't closely interested in what few comments a bunch of /. folks can make about them.

Get a clue. If an organization does this type of work, 1st they're not going to advertise it. 2nd they'll have so much work, they don't need to advertise.

Wake the hell up and get out of VB and java land.

16 Systems a FRAUD??

[sciop101]

Anybody find an archive of the "The Great Zero Challenge"?

16 Systems website looks like is a web-page assignment from an 1980's HTML tutorial.

The services listed are BASIC/Javascript end-of-chapter exercises.

Re:NSA claims to have this

[cduffy]

My mom attended a litigation support conference where NSA actually claimed to be able to read a drive's contents after SEVENTEEN zero overwrites.

Along those lines, I once knew a professor who claimed that the NSA was doing automated keyword scanning on the national phone system in the late seventies. There's quite a lot of uncertainty about just what their capabilities are and aren't... and presumably they like it that way.

Critical line in the Challenge:

[Morosoph]

You may not write any data to the drive or disassemble the drive.

So you're not allowed to (for example) exploit redundancy or error checking on the drive itself? If dd wrote zeros, that's what'll be read unles you can get "lower" than normal drive access.

This challenge has nothing to do with the security of your wipe. Rather, it has everything to do with dd successfully writing zeros given normal access.

Well known

[gweihir]

The German computer magazine c't did try to get a disk that was overweritten once with zeros recoverd two years ago or so. All data recovery companies they contacted (all the major ones) said they could not do it and that it was likely impossible. So this is not newa at all. Even Gutman had an addendum that says tomething close for modern disks.

The source of all these stories is that it used to be possible, when disc coatings were more advanced than r/w head and electronics. That is not the case anymore. It is very likely that you cannot put much more data on the disk than a moder HDD does. That also means that a single overwrite is an unrecoverable deletion. Keep in mind, that due to the particulars of the modulation, an all zero overwrite does not take up less of the surfaces data storage cabaliluty as a fully random overwrite.

Basically the pople that claim recovery is possible are one or so decades behind the times. Nothing new.

Get off it.

[Jane+Q.+Public]

You would do it once for less than $40 if you thought it would make you $400,000 over the next year in new business brought in because you proved you could do it. You would do it at your own expense. You would pay $1,000 to prove you could do it!

THAT is the whole point, in a nutshell. Anybody who could do this would have people lining up at their doors, wanting to lay down money for the service. Failing to even try to prove that they can do it demonstrates only one thing: they can't. The $40 thing is nothing but a red herring. Any company that could, would.

Re:It is recoverable, but at a price.

[glwtta]

So bottom line is that you could send the drive in to Western Digital, and they could probably recover the raw data with about 90% accuracy.

That's a pretty impressive number, to just pull out of your ass.