Slashdot Mirror
Single Drive Wipe Protects Data
ALF-nl writes "A forensics expert claims that wiping your hard drives with just one pass already makes it next to impossible to recover the data with an electron microscope." But that's not accounting for the super secret machines that the government has, man.
One wipe is never enough.
Didn't your mommy teach you anything?
Especially true after Taco Bell.
See subject.
Just use encryption (of your whole drive or partition) and forget about wiping it.
It's not that hard. For example, several modern Linux distros support encrypting your entire installation out of the box.
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
1) next to impossible != impossible
2) if the feds require multi-pass wipes for non-classified data and media destruction for classified data, why should I settle for anything less?
OK, maybe this guy is right and maybe the feds are behind the times, but I'd like to see multiple independent studies come out and say this before I'm getting rid of my drive sanitizers. I mean, we all know what happens to societies when they get rid of their equipment sanitizers, don't we?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I thought a few weeks ago we were supposed to drill holes in the drive platters and fill the case with thermite, then drop the whole computer into the fires of mount doom.
This week, a one pass wipe is enough.
it is not like you can have 2 values for a single bit at the same time.. and density is so high these days that it makes sense to have a single write wipe the previous data forever.
have you been defaced today?
microwave your hard drive. Be forewarned, the ensuing fire may not be worth it.
That's what they WANT you to think.
In all seriousness. If the government wants to get information, they are not going to the trouble of an electron microscope to look at your hard drive. I'm sure they have other methods of extracting the information they want. While this information (about how many wipes you need) is interesting from a theoretical point of view, it is useless from a practical one.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
I thought this would be fairly obvious from the fact there doesn't exist any recovery services that will recover zerod out data for you, at most they can usually try to recover data that has been deleted(forgotten) by the operating system.
Seriously, i'd like to see anyone recovering anything after that. Either do that, or smash a nail through the disk
Myhtbusters need to look at this. Then they should do a wipe that would really suit their style - a shock wave through the drive will raise the temperature at the wave front above that where the material is magenetic (curie temperature). In other words - explosives!
I found that taking the disk platter out and using it as a coaster helps too.
Writing random numbers would be more sufficient than just zeros.
For example painting a wall with one layer of white paint could still show the outlines of a gratify underneath that layer.
But if you would use various colors all over the place it would become very hard to identify any shape beneath it even if you where using just one layer.
Intuitively, this makes sense - being able to recover data from an overwritten part of the hard drive effectively means the capacity has been multiplied (if you can recover from 1 overwrite, while still being able to get the new data, the capacity has just doubled.)
If this was easy enough to do, Seagate, Hitachi, WD etc. would all be doing it (or are already).
That said, taking the word of someone whose job is actually recovering data - well, that might not be a good idea.
If you're storing unencrypted data which must not fall into other people's hands, then you're approaching the problem in the wrong way. Wiping the drive should at most be an additional measure. Never store unencrypted data on any drive that you intend to sell/give to someone else.
Wright did find that multiple passes do make it harder to recover data...
In other news, leaving out important details found to increase click-through.
Last month my grandma asked for a new laptop and prior to putting her old HP on ebay I wiped it via Gutmann 35-Pass method, way above DoD and NATO standards, so her ultra-secret vanilla cake recipe could remain a household secret.
It says data written to a pristine drive is much easier to access.
If drive-manufacturers wrote random data to their drives 2 or 3 times before shipping, I wonder if this would help?
Combine this with OS-level "overwrite with random after delete" or, to allow for "oopsies," delayed-overwrite after delete but before next use, the problem of "ghost data" in unallocated drive space could mostly disappear.
Of course, there are other issues, like data internal to a file that is no longer current, data in paged-memory files, and data on backup media, but that's outside the scope of the "I deleted the file, it should be gone but it's not" problem.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
[pulls tinfoil hat tighter over head]
Sure, that's just what they want you to think.
Hard drive meets Mr. Thermite.>
These guys will give you 500 bucks
which is surely worth the time and effort involved in something like this.
What's it worth to you to have the data not be recovered? That's the real question here.
If a static pattern wipe will take about an hour and a half, and that's "good enough", great. If you're willing to invest a few days in running dban on the thing, that's better.
If you're willing to pull out a welding torch and reduce the drive to a smoking ingot, well, you're just about paranoid enough.
It's two parallel questions, really:
-what is the data worth to you?
-what is it worth to you to keep anyone else from getting the data?
Even if it isn't deleted, try to recover a simple 10Mb jpg using an electron microscope... I guess it is as close to the "next to impossible" as if the file was deleted.
Big Brother: "One pass is enough! Please don't overwrite multiple times. Trust me, I'm an expert and so is my microscope."
Can't I just fill the HDD up with random data? Doesn't that make it unrecoverable?
Summation 2
If there were a reliable way to read the previous value of a bit written to a drive, the drive manufacturers would already be using it to increase density -- effectively storing two bits in the space of one. This is similar to the basic principle of MLC flash drives.
Which, of course, would still make it impossible to recover data that has been overwritten, since each "bit" would be overwritten twice.
Wasn't it true that you had to smash your hard drive in order to be secure?
http://tech.slashdot.org/article.pl?sid=09/01/08/1328255
What about citing articles with references instead?
I've found one pass of a sledgehammer makes it next to impossible to recover data from a disk. Even read-only media!
What a fool believes, he sees, no wise man has the power to reason away.
I've sent a drive in for data recovery before and was asked which operating system to recover: solaris or Windows NT....
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Why not:
dd if=/dev/random of=/dev/hda
instead?
That way you get random data, not just all zeros. Also you probably want /dev/hda so you blank the entire drive; not /dev/hda1 which only blanks the first partition.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
I use a blowlamp! One is enough.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
That would take too long - you can't depend on the blocking kernel random generator, as it needs a source of data to keep feeding the entropy pool.
I want to delete my account but Slashdot doesn't allow it.
It seriously depends on your crime as to how far police will go to obtain data from a hard disk.
If, for instance, to kill no more than three people in cold blood. They won't even look.
If, you have a few ounces of pot, the DEA will use the FBI forensics labs.
If you have a history of violence and have beaten countless women, they won't even look.
If you've given more than a few hundred bucks to an Islamic charity, the NSA will step in.
If you bilk hundreds or thousands of people out of millions of dollars, they won't even look.
if you are accused of fighting on the train in San Fransisco, they'll just hold you down and shoot you in the back. Fuck the computer.
http://16systems.com/zero/index.html
Just let someone's 13-year-old daughter have it for a few hours. They'll surely destroy your entire computer that will become irretrievable.
then I'm sure anything is possible if enough resources are thrown at the problem. For everyone else, I'm sure a single wipe is just fine.
Besides, if the man (Tm) really wants to know what you're up to, there are MANY other ways of getting at your secrets than trying to analyze your hard drive.
Cheers,
Remember all the problems you had with the O/S on that disk? all the time you wasted trying to debug it?
What better end for it than to finally get your own back in a way that it can't possibly throw up any more problems with - unless of course a splinter flies up and catches you in the eye.
In business, where time is monkey, the time needed to reformat a drive - and then verify that it *has* actually been wiped is far too long, especially for big drives. far better to just crush them and be sure none of your secrets could escape.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
The source of the claim seems Gutmann's 1996 article: http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/index.html where he says: "Data overwritten once or twice may be recovered by subtracting what is expected to be read from a storage location from what is actually read. Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media), or that the recovery attempt is carried out fairly soon after the new data was written (for RAM)." It was challenged already in 2003 http://www.nber.org/sys-admin/overwritten-data-guttman.html where Feenberg writes: "Surveying all the references, I conclude that Gutmann's claim belongs in the category of urban legend." As usual, this story shows that individual claims have to be checked by independent parties. Even the claim that it can not be done.
dd if=/dev/urandom of=/dev/hda
MFM isn't an electron microscopy technique. It's a variation of AFM where the tip has its own magnetic moment. It's a terrible technique for this application anyway.
"One up, one down, one to polish."
Dave Lister
You know, I work with electron microscopes. I have yet to see any actual information to back up just HOW they would "recover data with an electron microscope". I could see Atomic Force Microscopy with a triboscope or something, but not EM.
From the article:
A coin toss is usually referenced as the worst way to try and predict a 50:50 chance event. Disregarding all of the obvious problems (i.e. - that the bits on a hard disk do not have a 50:50 distribution (unless compressed or encrypted), and that a coin is not necessarily the most random thing, I'm still left with a puzzler
If his methods have less chance of prediction than a coin toss, all he has to do is add a "not" gate at the end of his prediction algorithm, and he'll have better chance than a coin toss.
To take this to an extreme, assuming random incoming data, a coin toss has 50% chance of a hit for the next bit. If you find a method that has a 0% chance of a hit, then just flip its output and you'll get a 100% chance of a hit. Lower chances than a coin toss actually mean a good prediction ability
Shachar
To me a more valid concern is the following linear time algorithm to break encryption: /dev/randing a hdd is so easy that if you are paranoid to encrypt your whole hdd, including swap and filenames, then you might as well erase you hdd just to be on the safe side.
1) Invest $1000.
2) Making use of Moore's law, wait until $1000 is enough to buy a machine that can break that now old outdated encryption.
3) Profit!
It seems to me that zeroing or
You want /dev/urandom. Pseudorandom data is plenty for this purpose, and it won't take forever to generate either.
Give me Classic Slashdot or give me death!
I work for an electronics manufacturing company, and with damn near every consumer device "going green" and being RoHS-compliant, we won't have to worry about long-term storage anyway. Things like tin whiskering will ensure that your data will be wiped for you after a few years of use due to malfunction. After that, nothing a sandblaster or a few high-powered rifle rounds can't ensure that it's completely wiped.
Harddisks aren't so so small that a bit is single atom. So you at the physical level you aren't going to have exactly 0 or 1. Potentially after zeroing 10101...
would become
(0.1)0(0.1)0(0.1)...
which could in principle be read by a sufficiently accurate instrument.
/dev/urandom
Finally, we have some sanity peeking through.
Anyone that's looked at the analog signal from a disk head *knows* you can't get anything useful from an erased track, much less one rewritten with random data. Those microscopic pictures of the letters "IBM" showing though an erased area are only proof that the human eye can integrate and lock into large-scale expected data, which is the exact opposite of picking out individual random bits. You can simulate this yourself in a spreadsheet or program-- take a block of data, erase it by multiplying it by say 0.1, add in new random data at full amplitude and variable phase, then try to find the original data. Rotsa ruck.
Under normal conditions /dev/random would likely take decades, if not centuries, to do the wipe.
That's what GNU shred effectively does (defaults to /dev/urandom).
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
I had 100% recovery (AFAICT) using Disk Internals, even thought it didn't think there was even a partition there (I think track 0 was zeroed somehow). Was it just easier to restore from backup, or was there something making things harder? (For those that are interested, things like scandisk/fsck are not good for recovering data from badly corrupted disks, since those will only work if your filesystem can be returned to a perfect state. Typically most/all of your important data can be recovered from a corrupted partition even if your filesystem can't)
... making it easier for the government to control your mind ... just so you know.
I can't help but sit here shaking my head in some disbelief at the comments I've read on this thread. Slashdotters are a technologically savvy community for the most part, and I lost track of the number of times that I saw something to the effect of "The government probably has means/software/tools/hacks to get your info."
Now, I've done extensive work *for* the government in the realm of computer forensics, which is as far as I'll elaborate, and the tools we use are commercially available. Were anyone so inclined, you could even attend or get notes on FBI or DoD taught digital forensics classes.
There's nothing wrong with some good old fashioned suspicion or conspiracy theory, but the *one* area that slashdotters should be mostly competent and knowledgeable on has more of those wild ideas than anywhere else.
They would "prefer" you wipe your drive only once, so they can retrieve the data. The gov't does in fact have clever techniques to recover data; even from wiped drives. Even from drives that have been wiped and "destroyed". The safest way to protect your data, apart from multiple wipes, is to take the platters out and have them ground up, in my opinion. :-)
[[[
What this means
The other overwrite patterns actually produced results as low as 36.08% (+/- 0.24). Being that the distribution is based on a binomial choice, the chance of guessing the prior value is 50%. That is, if you toss a coin, you have a 50% chance of correctly choosing the value. In many instances, using a MFM to determine the prior value written to the hard drive was less successful than a simple coin toss.
]]]
I hate to say it, but anyone who'd claim this clearly has no clue what they're talking about. Because otherwise "pick the opposite of what the MFM says" is a viable algorithm that's about 60% accurate.
But in principle this need not be the case. Imagine for example that your drive head didn't seek to *exactly* the same position it did last time it read the track. Then there could be for example a narrow strip where the original data remains. (There is also a possibility that data remains in relocated bad sectors, but that is a separate issue).
I just try to make bribing a good affair for both me and the government.
For a nice date: Call strftime(3C)!
Ideally, fill the entire drive with porn.
Unless of course its the porn you wanted to hide in the first place, in which case overwrite the entire drive with /. articles.
Unless of course its the fact that you are a geek (nerd/etc) that you wanted to hide, in which case overwrite the drive with sports trivia.
Unless of course... you get the idea.
If disks are being wiped at all, the costs associated with multiple passes are zero. And, increasingly stringent measures are proactive security under these circumstances. Even assuming this research is correct, what is there to lose?
If I recall, one of the HD manufacturers were planning to use glass or ceramics for the platters. That would solve all of the problems, run them through a device that grinds them into powder. Other options, through them into a nuclear reactor, even if they could read the data off of it, they might die before getting anything useful off of it.
One paper says a single pass will securely obliterate the data.
Several papers indicate that there more passes increase the probability that the data is obliterated.
No paper argues that more passes will somehow make the data more recoverable.
So, use more passes whenever you can. It MAY improve your security and will never decrease it.
There's enough info out there to the contrary of the article that leads me to belive otherwise.
http://yro.slashdot.org/comments.pl?sid=03/01/15/2345217
Perhaps the drive manufacturers could start a recycle program if you ship the disassembled drive back without the platters.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Comment removed based on user account deletion
and this: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
boycott slashdot February 10th - 17th check out: altSlashdot.org
$500 if you can prove otherwise. The Great Zero Challenge
My question is: How well do "wiping" methods apply to SSD's, and how necessary are they versus something like a simple "zeroing" of data?
The guy's a forensics expert. Of course he's going to tell you one wipe is enough. If you do more than that, he might be out of a job.
I'm surprised he didn't say "It's cool man, just write 'DELETED' in sharpie on the case and your drive will never function again. *snicker*"
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
If you use Ninnle Linux, files using the -s option are wiped (shredded) completely, untraceably, with NO chance of recovery. So be careful when you use this switch!
The shred option works so well, DoD is seriously looking at specialized versions of Ninnle to do their secure wiping of classified drives.
That's what Ninnle on the desktop can do for you.
While it is barely possible that NSA could and would , at great expense, recover some useful overwritten data from, say, captured North Korean drives, the notion that anyone here has any secrets that important to anyone other than themselves is laughable.
Overwrite the drive once before you sell it on Ebay to get rid of your bank account numbers and you're good to go. Your secrets are worth maybe $5.00 to organized crime and the government doesn't give a damn at all.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
His chance of retrieval was trivially above the random 50%.
You just could guess _any_ content with the same probability.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Was supposed to be a reply to the original post.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Pop in a DBAN cd, hit enter. You can tell the boss that you've performed a wipe that meets DoD specifications. There's no real time difference in doing one wipe, which doesn't meet DoD specs, or the three that DBAN does by default. Unless, of course, you are sitting there watching the percent complete go up. If you have free time to do that, how can I apply for your job?
For the google impaired, http://www.dban.org/
As an engineer who used to work for a hard drive company, one pass is not enough. For that matter, no number of passes will guarantee removal. The problem is that heads are often off-track by some amount and if you really want to recover data you can read the portion of the track that wasn't overwritten. Furthermore, it may also be possible to see the old waveform by removing the "noise" (what you overwrote with), though this is technology specific. To be safe, overwrite with pseudorandom data. Or just destroy the hard drive like others suggested. A good alternative is to give it a good jolt, since that will demagnetize the platter. A few stories ought to do it. Also, it might shatter the platters as a bonus.
As far as I know, from what I was told some time ago, the FBI does not have a good way to recover certain filesystems after they have been deleted, such as ReiserFS.
You mean electronics will be less reliable just so my children won't have eight types of cancer and brain damage?
What is this world coming to?
Just install linux on it,..
Then no one will use it.
lol
Comment removed based on user account deletion
SSDs are not in any way susceptible to being examined under a scanning electron microscope to find visible signs of previous magnetic domain traces like a conventional hard drive's magnetic platter is.
All it takes to securely erase any flash-memory device it to overwrite the device enough times to overcome the wear-leveling algorithm so that each byte location on all the chips gets its value changed at least once.
Govt computer snoops and spooks know this, and they deeply fear the proliferation of SSDs in consumer-grade computers because it eliminates a powerful investigative tool from their grasp.
The multi-pass wipe myth is quite useful.
"To remove all this malware from your system will require a multipass disk wipe. We will let this run overnight"
"Before we can dispose of your old laptop/PC/foo, a multipass wipe must be run on the HDD. We will let this run overnight." (user leaves) Bring me the toolkit so we can take all the RAM out and put it in [annoying user's] system which he refuses to replace.
"Before we throw this broken HDD away, a multipass wipe must be run. We will let this run overnight". (user leaves) Bring me the toolkit so I can take out the magnets.
Every mans' island needs an ocean; choose your ocean carefully.
The problem there is occasionally the drive wins or claims a draw by destroying the child as well.
Part of most if not all HDDs fall well under the "choking hazard" category.
Problem? I really don't see a down-side here...
Bow-ties are cool.
In the epilogue of http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html, Peter Gutmann basically calls the author of TFA a rtrd.
Apparently, he's confusing two different techniques, and Gutmann claims that, of course it won't work the way he's doing it. He's doing it wrong. You can't use the Magnetic Force Microscope to perform an error cancelling read, it doesn't work. The success rate is - surprise! - less than 1%, exactly like TFA claims.
Also, mentioned in Gutmann's epilogue, TFA confuses an MFM and a scanning electron microscope. They are not the same thing. An MFM reads magnectic levels, it doesn't "see" electrons like a SEL will.
In any case, Gutmann agrees with TFA but for very different reasons. The new encoding techniques nullify the MFM. There is no point using it because it won't give you any usefull information on a modern drive. Also, the extremely high densities mean the only practical and reliable method of recovery is basic error-cancelling techniques, and that's only practical after one wipe. Even then, it's iffy at best.
So yes, a single wipe is probably all you need. But who knows what data recovery techniques will be invented? A single pass is probably good enough right now, but 3-4 random passes is pretty much a sure thing, regardless of future techniques.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
(Editor's note: SecurityFocus is currently investigating the veracity of the research paper mentioned in this article. Peter Gutmann of the University of Auckland, an expert on secure deletion, has criticized the work in the epilogue to his paper on secure deletion.) http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html This paper is a very good read and provides alot of information on the topic, along with basically calling the authors of this articles paper an idiot.
I used to be a blacksmith, and I still have a nice little power-hammer in my workshop that delivers the clout of a 500 lb sledgehammer. I would be willing to bet that my way of disposing of my old disk drives, which involves heating it to about 800 degrees C in my forge and giving it a few taps with that mother would defeat the most earnest efforts of the NSA, since the drive comes out about the thickness of tin-foil.
:-)
Disclaimer:
The NSA has no jurisdiction here in Australia, (yet) and...
They would probably be bored by the contents of my drives anyway, and...
Yes, I am aware that that temperature will demagnetise the platters, but...
It's good fun to do anyway: shiny hot things and lots of noise.
When you are done, destroy the drive containing the pad. Problem solved.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Comment removed based on user account deletion
Last time I cared about government standards for this sort of thing, I got the NSA document describing standards for the government. It basically reduced down to "take the hard drive platters, and grind them to dust".
While I may doubt the government in general, if NSA says wiping isn't sufficient, I'm inclined to agree with them.
Well, that kind of a recommendation doesn't mean that wiping a drive isn't sufficient - it just means they can't prove a wipe will be sufficient - they have to allow for the possibility that someone will manage to find a way to read a wiped drive...
Of course, if you look at it as a matter of liability - the known cost of destroying a drive (pretty cheap - even if you factor in the cost of replacing it) versus the potential cost of not adequately destroying your data - depending on the data it may be well worth physically destroying the drive. That's the other thing - there's a lot more on the line with the data the NSA's got, and there's more people out there to whom that data is worth the cost of attempting to recover it...
Bow-ties are cool.
Hammer* + lake = more effective and less effort. *NOTE - The hammer method will only work if you're strong enough... knowing /. readers it might be best to get someone else to do the hammer part for you..
microwave your hard drive. Be forewarned, the ensuing fire may not be worth it.
I can't believe you said 'ensuing' and meant it, Sam...
Bow-ties are cool.
Was it deleted, or was it overwritten? Reading deleted data is generally very easy, but reading overwritten data is generally not.
Hmmm. Floppies were so damn unreliable as a storage medium, it was almost pointless to overwrite them. but the old 8" and 5 1/4" floppies at least went through normal shredders OK without damaging the shredder.
Nuke it from orbit, it's the only way to be sure.
n/t
As information security professionals, we ought err in the direction of paranoia. That, coupled with the price ($0.00) and ease of using DBAN, makes this a moot point.
Secure Erase http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
That's what they want you to believe!
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I use RAID-10, it makes it really easy to toss disks, although it would be equally simple with RAID-5. Normally, I just toss one drive at a time, not a whole array, and by the time subsequent drives are tossed there is too much of a differential to rebuild any data. With RAID-5, this is made really simple because you would need to have N-1 disks to have any chance to recover the data -- it is cryptographically secure. However, RAID-10 can be quite decent in this regard as well. The more disks of the RAID-10 set an attacker recovers, the more data they will have, but that can be trivial as arrays grow larger (RAID-10 is more secure in large arrays than in small ones).
Really, I think this is one of the most overlooked advantages of configuring NAS and SAN solutions for one's enterprise or small business.
while it would theoretically take thousands of years to brute force it, random chance has them guess the right sequence on the first try (it could happen).
I came up with this theory in college, that if you throw your keys at the door an infinite number of times, the correct key will inevitably insert itself correctly into the keyhole, engage the tumblers, and open the door. This has not happened yet. Also please note: do not try this with your car.
That will prevent people from taking a second look at your data if your harddrive is full of nasty porn.
Or if they are perverted maybe it will distract them from trying to read anything but the porn off there.
Also I don't have much (if any) sensitive data on my harddrive. You can find shopping lists and some half finished source code on my drives (and porn).
“Common sense is not so common.” — Voltaire
But I doubt I can be bothered to even do that.
I am alays amazed at the no of responders to suject like this that go on about this way that way and the other way, how they do this and so on.
What sort of odd data are you all keeping around that you need to secure to this level?
Pretty much all my data is dull and mundane.
Either everyone is paranoid or 12. Possibly both.
+----------------- | What is the question!
On modern drives, the data is randomized internally. Since PRML has worse error rates for certain repeating patterns than for random data, all modern drives XOR your data with a pseudo random sequence before recording.
One reason why a single overwrite is probably enough: The MR element is much narrower than the write head gap (less than one half), so tracks can be packed tightly together; they actually interfere with their neighbors. So the only reason why any previous magnetic signal should be left over is if the drive writes slightly offtrack - in different directions on neighboring tracks. Recording is always done to saturation, so nothing is left over on the track itself.
thegodmovie.com - watch it
Guttman's algorithm depended on early HD designs being sloppy. That is, the very "defect" that allowed overlapping bits to be detectable would allow multi-pass sloppy writes to smear out the original data.
Modern drives became smaller and vastly more precise. Hence, the mythology that one pass random write suffices because there is less or no overlap between bits written at different times, a theory which probably works equally well or better on high-precision non-mechanical drives like RW-DVDs or USB flash drives.
The probability that fatique of some sort occurs in the receiving medium, maybe detectable by chemical analysis, is a consideration, as is the likelihood that journaling file systems impose extra layers of unwanted data persistence. Hence, physical destruction.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
That would take too long - you can't depend on the blocking kernel random generator, as it needs a source of data to keep feeding the entropy pool.
True. Grandparent probably meant:
dd if=/dev/urandom of=/dev/hda
(For people who aren't UNIX geeks: /dev/random gives you really good random numbers, the sort you'd want if you were generating a PGP key. If it runs out of random numbers then it blocks, and doesn't return until something happens to give it a good random number (e.g. an interrupt, where the nanosecond timing is pretty random). /dev/urandom gives you numbers that are random enough for most purposes, and it doesn't block).
why this is so very important. The majority of people would only care about how 'clean-wiped' their HDD is if they need to get a giant porn collection off of it so they can give the computer to a youngin' or parent. /has no idea what he's talking about
It's far better to quote the "reliable" sources used to back up Wikipedia articles than Wikipedia itself.
Even Wikipedia doesn't allow using itself as a source in articles.
Ironically, it doesn't prohibit using Slashdot for supplemental information, but it does treat it like a blog/non-reliable.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I used to be in charge of DOD Top Secret and above data (SIOP SCI etc.).. The procedure was to Physically remove platters. Run them thru a degauser. Then mount on a vice and grind off layer of oxide. All this done under two man rule and certified. This was the ONLY way to De-Classify a drive. After that we usually made Going away clock plaques and such. When I was involved there was NO software related wiping that would pass for high level data wiping.. These procedures have been in place since the early days of washing machine size drives and continued in the small PC and laptop drives of today.. At least this is how the goverment did it. I would imagine that a 1, 2, or 3 pass of complete packet fill wiping on home/business drives would be sufficient for most users.
I make good money getting data for people.
You know what a salary list goes for these days?
I acquire data as requested using legal methods. I never steal and only ask or find it.
Some drive encryption programs (EPHD for one) have key escrow schemes where the actual key used to encrypt drive data is not related to what is entered, but the entered key is just used as an access control device to get at the actual key, which is stored in hidden areas on the machine. While this kind of thing can be hard to unravel, it is not impossible, and is a reverse engineering job, not a cryptanalyst job. The original disk encryption programs had keys entered directly so the machine had no information about those keys stored anywhere save while the program was running. That was far more secure, though it made it necessary to create a new cryptodisk and copy contents to change key. If new keys can be chosen without changing the disk, be suspicious. The actual drive encrypt key is not what is entered and there are possibly backdoor ways to get to that key. This is a prime case of convenience lousing up security. Also, be sure that at least some adversaries may be able to unravel the obscurations in those cases.
If you have OTOH a drive encrypted with something that has direct key entry, and use a decently high entropy key that you enter,you are reasonably safe...provided the key is not written down somewhere where it can be identified as such.
Nice theory, but totally full of shit.
I've done contracting for the government, and worked on a proposal which would have required "Secret" clearance for all staff involved. I have also worked with medical records for the local health authority. Finally, I've worked for oil companies that have both liability of both customer records and planned exploration/acquisition to keep private.
You're making the mistake that everyone else on /. is just like you, huddled at home, worried about their pr0n collection. However, some of us are actually computing professionals, working in sensitive areas. Hopefully none of us are using /. as their sole source of useful information, but it's definitely not a bad tertiary source of input.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
It's a whole lot quicker & easier to upload a file to a drive than to bother trying to recover data that never existed.
Is there a way to log a fingerprint of the last N block writes to a hard disk to prove that your data has been tampered with?
I guess that wouldn't prevent Them uploading a file to you unawares before they bust you.
That's why the DoD has lowered their standards to a single fixed wipe and to prove it is going to send all of their super secret hard drives to china to be proven that the data is unreadable.
Because the DoD makes ALL its decisions based on sound science. That's why the Air Force took over the CIA's sponsorship of remote viewing in 70s, why the Navy funded research into cold fusion and anti-grav, and why we're buying hand-held polygraphs for troops in Afghanistan.
I mean, I had the same knee jerk suspicion, but I'm not going to hold up the DoD's standards as proof of anything but potentially reasonable paranoia. The Pentagon has a long-demonstrated sweet tooth for junk science.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The problem with physical destruction is, how destroyed is destroyed?
I've said before that the absolute key to data destruction is KNOWING how precisely your data is gone. Software wipes of a certain type a certain number of times are a very deterministic, known, and reproducible method. A blast furnace is a very deterministic (and complete!) method. Taking a drive out back and whacking on it with a hammer, or tearing the platters out, or even shooting (or drilling) holes through the platters is NOT reproducible, NOT consistent, NOT deterministic, and NOT verifiable. Also not certifiable if you're doing it for someone else.
Physical destruction is great--if you truly destroy it. However, that ain't easy to do.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
> However, some of us are actually computing professionals, working in sensitive areas.
And this makes your personal financial data stored on your machine at home worth millions? Right.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
The government or military might be interested in your data, especially if you are not government or military. Especially if you are suspected of something. Whether or not it's true.
Assuming a government with infinite resources. Honestly, I'm no dittohead like the above poster might be, but I don't seriously worry about the government spending the money and effort to forensically scrub my drive for anything unless they had far easier to get evidence that it was worthwhile.
For example, a pedophile might have some incriminating evidence outside of an encrypted/wiped part of a hard drive that might suggest it was worthwhile -- like printed porn in his house, suspicious filenames in the "recent items" lists in the preferences of his programs, or logs in the governments possession of suspicious online activity. But if all you have is someone you'd *like* to lock up and a hard drive with empty space full of noise from a single random wipe, then it just isn't worth the trouble.
Of course, I'm in law school and have heard more of the prosecutor's side of things than most people. Prosecutors do have to worry about time and budget resources. Unless you think the federal government has some really good excuse to throw limitless time and money at you, you probably shouldn't worry. Forensics is *expensive* even without cracking open the platter and trying to painstakingly read info with an electron microscope. Mere searching of the live files on your system costs tens of thousands -- can you imagine how much days or weeks of electron microscope time + experts would cost? I'm thinking millions or more. No prosecutor wants to waste that kind of money on a shot in the dark.
And if you live far enough in conspiracy land to think you're a likely target for being "disappeared" or persecuted at all costs, then frankly *you* are a greater weak point than your hard drive for producing incriminating evidence. A little abusive detention would be a hell of a lot cheaper (and probably more fun for the jackboot squad).
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
You are a /.er. You lack the necessary upper body strength to propel the key with sufficient linear and angular velocity that it not only inserts in to the lock while rotating clockwise, but continues to rotate with enough angular momentum to engage the tumblers.
Write all 1's to the drive, wait a week. Write all 0's to the drive, wait a week.
Then use the drive like normal. Once you are done with the drive then wiping it once should be fine.
If anyone can recover data from a dd if=/dev/zero of=/dev/sda hard drive, I suspect $500 isn't enough financial incentive for that person to reveal his/her ability to do it. $500,000, then we're talking.
I once had a signature.
NIST 800-88, Read it.. Love it! Modern hard drives have the command for data destruction built in the form of Secure Erase (http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml) Block writing went out with the '90s and unless you are using a drive that is that old block writes are nothing more then a waste of time. Heck the old DoD 5220.22M even calls on the NIST standard these days. Read up on it!
you could just buy a seagate drive instead :-)
/dev/urandom
frandom (fast pseudo-random numbers) is brilliant for that
dd if=/dev/frandom of=/dev/sdb
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
1. "Secret" clearance is a joke.
2. Nobody wants the fucking medical records.
3. Someone might want the oil company exploration data, but if they want it that bad they can just kill your dumb ass and take it. It would be a lot cheaper for everyone involved.
One reason they require it is simple paranoia. The lengths you go to protect something depends on the value of the thing you are protecting and thus the lengths someone might go to get it. Same reason they use lots of armed, highly trained agents to protect the president. The president is extremely important to the nation and people will go to great lengths to harm him. When you are talking about classified data, you go to the paranoid extreme.
Another reason is inertia. These rules were written back when drives were much simpler and thus easier to recover data from. However the government moves slow and hasn't bothered to update. Remember that time was disks used frequency modulation to store their data. It was a pure binary "every thing above this level is a 1 everything below this other level is a zero." Thus it was much easier to infer what the previous data had been. Now drives store an analogue waveform and analyze that to determine the maximum likely data it represents. It's call EPRML. It sounds like voodoo, but works great and is very reliable. It also plays hell with any attempt to figure out what was on there before since there are no fixed levels for 1 and 0.
So I'm not saying don't do multiple wipes. It doesn't hurt, just realize that just because the government does it doesn't mean you need to do it too. Remember that one wipe screws over any and all methods that don't involve disassembling the drive. So unless you think someone is so interested in your data they'll take the drive apart and put it under a microscope, then one wipe is all you need. That is a whole shitload of work, and requires rather specialized equipment and training. You worried about people like that after your data? You think if they were that interested they wouldn't maybe just come and put a gun to your head to get it?
You need to wipe your drive because it's easy for any bozo to run a program that looks at what's in unallocated space. However you only need one wipe to prevent that.
The NSA is institutionally paranoid. Now that's a good thing over all, they protect the US's digital secrets. However that doesn't mean they do things the way you should. They are, for example, paranoid about mail bombs and the like. Mail actually gets sent to a company near them, who then ferrys it over to them. Silly, but that's how they do it.
Also the NSA's reason to overdo drive security is simple: They protect some of the most valuable secrets. Don't do it good enough, over do it. That way should you be wrong, oh well doesn't matter. You grind the drive down and it is DONE. Nobody is recovering shit from that no matter what. So if it at some point turns out one pass wasn't enough, well you are covered.
I very much doubt it is because there's any real way to recover the data.
meh - I'd start with physically attempting to offset the read/write head to look between tracks. The idea is there will be some overlap in the tracks, as each bit is expected to be overwritten by a zero. If each bit is a zero, there maybe a method to find enough differentiation to reconstruct the data. Now if it was overwritten with /dev/random - well then it's worth giving up on immediately ... unless someone is truly masochistic and has nothing better to do for about a month. I believe it would require a couple random wipes with random data to insure the random data overlaps the track edges. Reconstructing the super positioned data between the tracks would be ridiculous to do unless an area with a known data structure is found - like the start of the file allocation table.
Doing this for $500 just isn't worth the time and effort. I don't think you would need a magnetic force microscope to do this though ... the built-in read-write head should be sufficient. You'd need to modify the circuit that controls the track positioning for the read/write head. The data would then need to be captured using something like an oscilloscope and dumped to another larger hard drive. Custom software would most likely need to be developed to do the post signal capture analysis - ideally a simple program to convert the data into a disk image, which can then be applied to a drive using common unix or windows tools. Maybe capturing a reference signal from the original tracks would be useful before putting it through the differentiating circuit/algorithm.
A magnetic force microscope would only be needed if the signal is too weak to differentiate for even the read/write head from background noise.
A data recovery firm would have to work closely with the drive manufacturer to find out details about the specific model, or this would require special funding for the drive manufacturer.
I'd say some people like the Obama administration would have an interest in funding the data recovery of the lost White House emails during the Bush administration...
Oh well - I'm Canadian and wouldn't qualify for the contest anyway - it says American companies only.
He's just trying to give you an analogy. He is probably not literally saying "We guess wrong most of the time," just that "You can flip a coin and your results well be jsut as valid."
Also, the DOD mode is great not because it's useful, as this article says, once is enough, but because it is a standard. We use that at work purely as CYA. That way if someone ever gets pissey we can say "We wiped the drive per DOD5220-22M." Mostly what we could see happening is someone gives us an old computer to wipe. We do but they have data stored on a flash drive or something. That gets compromised, the data gets out, they try to say it was our fault someone must have gotten it off the computer.
So we always do a full DOD wipe. Not needed for data security, but useful for job security :D.
... they have state of the art data recovery equipment.
A wooden board, wet towel, and bucket of water.
Have gnu, will travel.
Everyone knows that Windows reads your HD and then uploads the contents to a NSA directory on the Google cloud for their perusal. Why do you think your not getting the bandwidth you paid for? and that bittorrent is clogging the Internet? They don't need your HD!!
Give the passphrase a few million extra hashes and make dictionary attacks closer to the difficulty of a brute force attack.
What is this time monkey you speak of?
Anyone who posts on /. has, by definition, no data the NSA, KGB, Gestapo or any other such entity could possibly be interested in.
I only wish I'd learned this trick sooner.
His brother-in-law's two-year-old did.
In professional environments, hardware is nearly always redundant (and in this case, the disks are being disposed anyway), so the time cost remains zero.
For home users, what does that downtime actually cost? Furthermore, the disk being wiped may contain passwords to financial accounts, credit card records, and so on. Consider the cumulative worth those data have, or the costs involved if they are stolen and used for fraud. Divide that by how long each wipe takes (say, one hour). Is it cost-prohibitive for the additional security multiple wipes provide? No. The expenditure is so small as to be effectively nothing.
Analogy time. A category three hurricane looms. Experts tell us that, given the expected storm, one plywood sheet costing $5 nailed to my exterior window frame will protect my home interior. If the storm reaches category four, the single sheet will be insufficient and the damage will cost thousands and thousands. The increase in strength is unlikely but possible, and the edge case is disastrous. Do I buy two sheets for $10 and be certain or just hope and risk big to save $5? Again, no.
You're all missing a critical factor in your analysis. "damaged" sectors. Today's hard drives re-allocate sectors with problems on the fly and without your knowledge. That damage may be too significant for the hard drive's sophisticated read head to overcome. But you can be sure that there are bits left over for the NSA or even a bright scientist to recover. Are you willing to risk your sensitive data under those circumstances?
The only safe approach is to only store sensitive data in encrypted form. Once you are done with the drive you should probably wipe it (future-proofing), but you should be moderately safe even without wiping for at least a few tens of years with a decent encryption technology.
There is *no* way to recover the data on a modern drive after a single wipe. It is actually impossible. It cannot be done.
The reason is simple - although you may be able to detect a tiny tiny bit of data from the previous recording, you've no idea how strongly overwritten it is. Now, with old drives which used simple on/off pulses to write data to the disk, it would be possible to see if the bit you're looking at is a little higher or lower than it should be, and infer the previous value from that. Modern drives use a system similar to QAM - quadrature amplitude modulation - to pack more bits of data into each transition on the disk. Since the signal is essentially analogue, you'd need to know how badly degraded the print-through was. You can't do this, so you can't recover data after it's been overwritten even once.
Well, you could just assume it's all been overwritten exactly once. I imagine that this would allow you to reconstruct a fair amount of data -- particularly if people take the advice in TFA seriously.
Why would it matter if not all sectors were overwritten the same number of times. If all sectors are overwritten seven or more times you should be pretty safe, even on exotic hardware.
well... just put the all computer and printers and modems all in fire and let their until it destroys completes and melts away.
The time of the MFM hard drives are over, it's now all SATA!
No need to use a wet towel while inserting your fingers in the plug anymore; because they just plug-n-pray!
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
I know it ! I know it! Baby wipes!
It's the only thing which is not chemical .. or shouldn't be anyways!
Why baby wipes fgs? I was eating!
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
/dev/randon -> /dev/urandom
There, fixed that for you. It's going to take a LONG time to generate enough true entropy to fill a modern drive (using /dev/random). On *BSD systems and most other UNIX-like ones, there's no real difference between /dev/random and /dev/urandom, assuming both the latter even exists. See Wikipedia.
Hell,
ought to be more than enough. And it will go a little faster, too. ( and you might think rc4 even quicker, but at least on my machine, aes is so much faster than disk that it doesn't matter )
Can you be Even More Awesome?!
>> push the planet it's on into the nearest star.
> But... that's where I keep all my stuff!
Ah, thanks, we young-Earthers were wondering why the Sun was so hot, now we know it's from all the porn you store there!
Take a deep breath, and think again.
The set of strings which look like meaningful data is a lot larger than even, let's say, the number of deterministic guesses you could possibly make in a reasonable amount of time. While at the same time it's also a lot smaller than the set of random data of the same length.
Assuming, of course, that we're discussing a reasonably large amount of data, e.g., more than 100 bytes (to be really generous, assuming ~2 bits of entropy per byte, a conservative estimate for English text, IIRC).
Or did I whoosh and you were going for Funny? EMIIW ("Excuse me if I whooshed")...
Hey, I've done it before. /dev/hda, but close enough.
Well, to
I was gonna donate the drive to my brother, and, well, some things cannot be unseen.
I only wipe the 0's, not the 1's
The thermite isn't necessary for wiping out your data, it's just there because it's freakin' AWESOME!
Indeed it is - Unfortunately however even that does NOT always work.... especially when you are attempting to wipe out someone else's data using it. Just asked the UK's Craig Moore who went to jail after his attempt to destroy a speed camera with Thermite mostly succeeded but NOT fully: Jail for speed camera (Thermite) attack motorist!
You know what? I think your post is actually the smartest in this thread.
.. Neither do I
As a data recovery technician, we wipe drives every day...always with a single pass.
During the recovery process, we mirror the damaged drives to an in-house drive, from which we do the file recovery process. After each project is completed and closed, we wipe the drive and reuse it for another project. If a single pass was not enough, we'd be getting shadows of other people's data in our recoveries. Of course, our mirror process is pretty much the same as a wipe, as it literally overwrites each sector of the destination drive with data from the source drive.
I'd hate to run a three pass wipe on our 1TB drives every day. It already takes 3-4 hours to wipe them with a single pass with our high speed tools writing at around 95MB/second.
So, to sum it up, I support the single pass theory.
The issue with this is it makes deploying disk images across a network a lot more hassle, rather than just being the size of the data it's the size of the whole partition. Does anyone have a solution to this? Trying to maintain a network with windows (mostly XP) and Linux machines, and standardised images make this a lot easier.
screw that. i made an account simply to say. that i formatted my hard drive AND overwritten it with data, and still managed to recover my lost data that i formatted with a simple program that i downloaded for free.
Next week they'll discover a new alien technology and the security experts will be advising us to nuke the drive from orbit. It's the only way to be sure...
Well it is! Game over man!
Does anybody have a copy of the actual paper, which the blog post doesn't link to: http://www.springerlink.com/content/408263ql11460147/
My university only has a subscription up to 2006, and I can't find it elsewhere.
Don't fix it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This debate always seems to come up somewhere every few months.
'...You need to write at least 7 times because of minute, traceable EM signals'. OK, fine, prove it. I have searched this topic to death and never have I found someone who was able to recover ANY data after 1 wipe, let alone 3.
If I had the money, I'd personally post a $1M USD bounty to whoever could recover a single file from a drive autonuked (3 passes) with DBAN. All this talk, nobody's ever done it.
Encryption is pretty much as good if done properly. Currently, if you had the worlds top 1000 supercomputers at your personal disposal, it would take millions of quadrillions of years to crack a 128bit key, and that's if you got extremely and cracked the key very early.
Wipe it or encrypt it, or show us that you can crack or read it.