Slashdot Mirror
Unclean Military Hard Drives Sold On eBay
An anonymous reader writes "The Daily Mail reports, 'Highly sensitive details of a US military missile air defense system were found on a second-hand hard drive bought on eBay.
The test launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq.
The disk also contained security policies, blueprints of facilities, and personal information on employees (including social security numbers) belonging to technology company Lockheed Martin — who designed and built the system.'
Scary that they did not wipe it to Department of Defense standards, which I believe is wiping the whole disk and then writing 1010 all over it."
Later:
Where are the corresponding crimes? If a third of the used hard drives on the market really contain such detailed personal or business information, wouldn't you think that at least one group of criminals would be buying as many of these drives as possible? Granted that there would be capital outlay, but a lot of that is recovered by selling the drives again through the vary same channels, and the risk of getting caught would be extremely low. Quantity of information is lower than with network-based methods (eg, keyloggers, sniffers, etc.) or other information-gathering methods, but I would think the quality of the gathered data would be much, much higher. Good enough to resell for a relatively high amount.
It seems, to me, that there is a bit of hyperbole going on here.
I guess we'll need to format them in a purifying fire then.
You can wipe a disk with "dd if=/dev/zero of=/dev/sda" and nobody will get anything from it after that, but the problem isn't the technical feasibility of securely wiping a hard disk: It's a problem of procedure. If hard disks are sold, there's always going to be a mishap where disks which were supposed to be wiped are not and sold with the data intact. Also, why was this data not encrypted? Anyway, hard disks are just not worth enough to take these risks. Destroy the disks and do it in-house.
Before people start discussing if drives should be overwritten 32 or 2^32 times, please show me ONE proven example of a regularly zeroed drive being recovered.
This challenge has stood for more than a year.
http://16systems.com/zero.php
"which I believe is wiping the whole disk and then writing 1010 all over it."
Taken from DoD 5220.22-M Wipe Standard:
"[...]DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101 [35h], followed by 1100 1010 [CBh], then 1001 0111 [97h]. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on differing DoD component requirements. In any case, a purge is not complete until a final overwrite is made using unclassified data."
I perform computer forensics work, and part of my research towards obtaining my degree was going to the MIT Swap Meet (great event) and buying used hard disks from vendors on occasion. In about 90% of the cases, the user appeared to have simply "deleted" the files, with nothing more. Now, I would expect this for a normal home user, not knowing any better, but the biggest thing of concern was the number of drives that came from various corporate entities. I was able to see and read data from drives that clearly came from several major banks, including mortgage apps, SSN's, corporate planning documents, etc. Again, the files appeared to have been simply "deleted" by the IT folk, instead of securely wiped, making it trivial at best to read everything.
So while this example is no better, I believe it highlights an ongoing problem that involves better user education and disk encryption helps solve.
I used to work for a major OEM whose clients included the military, along with other branches of the US government. The military in particular had a "strict" policy about hard drives: they did NOT RMA them EVER. If a PC of theirs was to be returned or sent in for service, it arrived without the hard drive.
What's the point of such strict policy towards your supplier if some dumbass from within will just pawn it off on Ebay?? It's not the first time this happens.
..the market is being flooded with Chinese made ground to air missile defence systems, available for a quarter of the price, and half the accuracy.
Fine Print: THERE IS NO WARRANTY FOR THE SYSTEM, TO THE EXTENT PERMITTED BY APPLICABLE LAW
Why does the DoD not simply destroy the disks in question?
Power corrupts the few, while weakness corrupts the many.
scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.
That's nearly right. The actual procedure is to wipe it to DoD standards, and then load it up with fake documents.
-Loyal
I aim to misbehave.
Did lockheed actually own these machines, or do they lease them? My guess is LM (like most larger companies) has a contract with someone like CSC/IBM/etc who actually owns, maintains, and replaces machines. This is probably where the ball was dropped. Every 3 years here CSC replaces 10s of thousands of PCs that they are itching to sell off before they depreciate into worthlessness. I can certainly see them taking short cuts, or missing a few. This is the problem with outsourcing IT infrastructure. They don't always really understand or care about the same thing as you.
The drives were probably illegally sold. DoD requires the destruction of classified drives, and contractors are supposed to follow the same rules. If the drive(s) in question held classified data (which they apparently did), they should have been wiped, then physically destroyed. Sounds like someone bypassed the last step, and tried to make a little profit on the side, by selling the "destroyed" drive.
Disclaimer: I work for a contractor on a US Government contract, working with classified data. (at the five-sided building)
Or are these types of stories probably sponsored by E-Bay's PR department..
:D
:D:D
Just think of all those people now bidding on old hard drives now... Probably won't be able to pick one up for under £99 by the end of the week
That reminds me... Got a few old ones to sell myself...
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
The problem is when people have a whole bunch of them and 100 40 gig hard drives sold at a flea market can pickup 2000 dollars some weekends. I did a pull once where the guy was savvy enough to wipe the hard disks but did not check all the CD-Rom drives, half of which had CDs in them with corporate information. Looking it over I could of easily sold the info to an unscrupulous competitor but decided to just send them to him COD for cost of postage.
An Education is the Font of All Liberty
I worked in a highly classified facility once. The wipe "standard" was to hire a lowly intern (such as myself), remove the platters from the case, take them out back, and sandblast them. The agencies scientists had decided degaussing wasn't good enough.
SirWired
First part of story. scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.
I just had a mental image of a private being assigned a sharpie and a room full of hard drives, furiously writing 1010 on each one.
Are to overwrite the harddrive 9 times, then degauss (which makes a loud POP and the magnetic information is GONE, and THEN to drill 6 holes through the drive. The DoD policy memo can be found here http://www.drms.dla.mil/turn-in/usable/cpu-memo-jun01.pdf
This space intentionally left blank
The procedure is actually to write random bits (01101111010110000 etc) at least seven to 13 times! This doesnâ(TM)t 100% guarantee nonrecovery, but it comes very close. Also, most hard drives are *not* regularly zeroed out (in free space), unless thereâ(TM)s a security policy in place at that particular facility/organization/office that implements a daemon thatâ(TM)s going to handle it for you.
Thinkingman.com New Media
First, everything that is SECRET must be serialized and fully accounted for at all times. Paperwork must be done when it is decommissioned.
It must be physically destroyed. If it's a CD, then it must be broken or otherwise scratched to the point where reading any data off it becomes not only unlikely, but impossible. Fire is good.
Hard drives (I had one fail on my in Iraq) must be double packaged, clearly labeled SECRET, and escorted by authorized personnel the entire way to somewhere a lot higher than the infantry battalion I am in to get properly destroyed.
Since it's got Lockheed Martin employee information on it, it's a Lockheed Martin hard drive, and their accountability is probably not as demanding as the Marine Corps...probably a guy in the tech department wanting to make some extra money.
The end-users probably aren't (officially) selling their used drives; they're probably selling their three year old machines by the kilo to an authorised disposal agent, who in turn wipes the drives (or is contractually supposed to do so) then either sells the machines as used, or breaks them into components for sale as used.
Why does anyone sell hard drives second hand, anyways? Most organizations and people buy them, and keep using the old disk until it either dies or becomes so obsolete that it's no longer worth using. How much value does some old 60 gig hard drive have on ebay, anyways? New 1 terrabyte drives are a mere $70 at newegg!
I can imagine that the drives might come from retired PCs. Many companies replace their PCs every X years for various reasons: their lease ran out, the PCs are too underpowered for current software, or upgrading/maintaining the old machines becomes too much of a hastle.
After disposal/donation/selling those PCs have to go somewhere, so I'd imagine they get broken up into their main components and sold off. Selling a PII-266 might be a tall order but someone might want that 60GB HD.
OK, obviously /. has a problem with UTF8, which my browser's inserting by default. sorry
Thinkingman.com New Media
wiping the whole disk and then writing 1010 all over it.
Did exactly that. Removed it from a computer. Wiped all over the disk. Then took a marker and wrote all over it. For additional security, wiped it *again* to remove the marker. And you nuts are still claiming there's secrets on it...
</fiction>
A++++++++++++ service! Quick shipping, and free military secrets included! Would buy from again.
The problem with writing 1010 all over the disk is that it only covers an extremely tiny fraction of the disk. Most modern drives are much larger than 4 bits.
It is also highly inefficient since the OS would always have to read a whole sector (typically 512 bytes) and modify it in memory before writing it back again to avoid changing any bits outside of those 4 that are to be wiped!
So, why not just sell it on eBay and hope the buyer wipes the disk before using it?
I work for the IRS and we supposedly use the DOD standard. Our wiping software actually has a "/DOD" switch. However, unlike the standard quoted in another post, our software just reinitializes the MBR and then does 7 random overwrites. Is that better or worse than writing patterns? I dunno.
I do know, however, that we never let a drive out of our inventory without a wipe. If the drive has failed completely, we have a big magnetic blanker we use. (Local option - in my office, we then take those drives apart, abuse the platters, and one of our techs makes sculptures from them. Neat stuff.)
As an aside, we never RMA drives, either. If a drive in our possession fails, we call for a warranty replacement and send back in the return box a signed statement swearing that we destroyed the old drive. If a laptop has a failure that requires a contractor tech to replace parts, we make them come on-site then have someone stand over them the whole time to make sure they don't try to actually read anything off the drive.
I would expect the military to do at least as well. Am I wrong?
I just got out of the Military and was in there for 6 years. Not one time did we ever wipe a hard drive, not because we did not care nor to lazy. We never sold the hard drives or gave them away. We either reused the drive or we smashed it and then recycled it. The Army is so paranoid that we even had to take RAM out of old computers that processed classified information just because it MIGHT have information left...
Every time a piece of hardware which wasn't properly cleaned to the recommended levels, the individual responsible for letting it leave the premises should be held accountable....personally. How about sharing state secrets with the enemy? You can't know who it was destined for so there's every possibility it will go overseas. To my knowledge this carries a harsh sentence, but we can allow a prison sentence if they co-operate with the authorities and ensure the command level personnel are also charged.
My guess is that most of this stuff happens through employee laziness, and contractor unaccountability. If you have lobbyists lairing in government to ensure that you keep the contracts no matter what and are able to hide anything under the "national security" red herring then why bother enforcing rules like wiping stuff properly? The idea of being held PERSONALLY responsible, with potential jail time will make people stop and think, specially if the command level have no loophole to blame their underlings for anything the press find out about.
For all anyone knows it could have been stolen.
I am very small, utmostly microscopic.
Why wipe a disk?
Media is cheap nowadays. Just destroy the disk.
100 * 40 gigs = 4 terrabytes. Or 4 $70 drives off of newegg.com, shipped to you brand new. With warranty. Who is dumb enough to pay anything for a crummy worn 40 gig drive? I shudder to think of the power draw of 100 drives grinding away.
Wiping hard drives is no rocket science. It's HARDER than rocket science, indeed.
One of the researchers, Professor Andrew Blyth said: "It's not rocket science..."
I want a list of atrocities done in your name - Recoil
Has anyone here ever used an induction cooker to wipe/destroy a hard drive?
It seems that should be effective and entertaining.
for my Alesis HD24 http://www.alesis.com/hd24 old IDE drives is what this multi-track recorder users.. a 500 or even a 100 gig drive is a waste in the machine as you are limited in number of songs and audio tracks. Plus I have had issues with the machines undo features and modern drives. and sadly the newest version still expects the same old IDE drives.. which are hard enough to find. now to hard drives containing classified information.. agency's are only allowed to reuse drives on systems of the same classification or higher.. so if the data was on a secret system, once wiped can only be used on other Secret or higher systems. other wise must be destroyed. a lot of this supposed classified information is sensitive but unclass. which is not a classification but a handling instruction. The unclass part is a classification, and the lowest protection level, so things slip, solders send computers to DRMO with out following procedure as its only unclass, but they forget the handling as procedure as SBU, and news stories like this get out. also most of this looks like corporate design information or even some engineers stored information on projects he is working on and all may be SBU or even fouo, but most companies do not have a requirement to wipe drives before reselling them or returning them from a lease, and if he did work on his home computer all bets are off.
[probably to post tomorrow]
Gigabytes and gigabytes of pornography and highly sensitive login details for gentleman's art sites were bought by a US military missile air defence base second-hand on eBay.
The artistic pamphlets were found on a hard disk for the SPLORT (Super-Powered Less Obviously Retronymed Thing) ground to air missile defence system, used to shoot down Scum missiles in Iraq.
Dr Andy Jones, a researcher at the base, said "This is the fourth time we have carried out this research and it is clear that records left on hard disks are the twenty-first century equivalent of random pornographic magazines found in bushes and parks by masturbation-crazed eleven year old boys. PHWOAR, LOOK AT THE TITS ON THAT ONE! I'm sorry, I'm just reviewing a birdwatching site. Fabulous display of Cyanistes caeruleus.
"Of significant concern is the number of large organisations that are still not disposing of confidential information in a secure manner. Thank fuck."
The disk also contained login details, credit card numbers and 18 USC 2257 information on ... "prospective military contractors," said Dr Jones. "Really. Prospective contractors. We're getting in touch right away."
http://rocknerd.co.uk
A hard drive contained records from human resources *and* classified THAAD information? No way that's true. Classified information would be on its own network, and there would never be any reason to copy it to HR. Even if a contractor neglected to destroy or wipe a disk, only one type of information would be found on it, and not both.
I worked for a government contractor at Tinker AFB in Oklahoma back in 2005-2006. I was on a contract doing server/desktop support for a wing on the base. Whenever we had a failed drive in a desktop, laptop or server there were certain protocols that we had to follow to make sure the data was compromised. We had to remove the drive and then take it apart completely. Once it was dismantled we had to scratch the platters to make sure they couldn't be reassembled in a different drive. I was also in on a server upgrade and they were going to sell the old server in a surplus auction. We were told to run a wipe of the drives and then REMOVE THEM because DOD regulations stated that the drives couldn't be sold at all. Then we had to destroy the drives in the same way I described above. Obviously this situation is someone not doing their job or just taking drives to make money.
?? why would sandblasting an intern help in wiping the disk?
Last time I read the military specs for harddrive disposal, moderately sensitive data disks should be deleted and zero'ed 7 times. (That options is on the Mac Disk Utility, BTW.)
Think Deeply.
That challenge is a joke.
1) If I could recover data from a zeroed drive, I'd charge a lot more than USD500 to do it. Why? Because there will be people who would pay.
2) I'd charge a LOT more to show you how to do it with NDA etc.
3) I'd charge even more to publicly disclose to everyone how to do it.
Secondly this from the website is even funnier: "Yes, if your company is an established, professional data recovery company (see below). Send a self-addressed, postage-paid box with packaging material to the address listed below and we will mail the drive to you."
Go look at Pwn2Own as an example of a competition that gets some serious entrants. The last I checked, USD10000 plus a Macbook is worth more than USD500.
I'd say hacking OSX is easier than recovering zeroed drive - especially since involves using far more expensive hardware.
Same reason you can still buy new technology 40g drives... because 100 striped 40 gig drives will absolutely destroy 4 1tb drives in performance and redundancy....
Atleast when it comes to SAN infrastructure..
I came, I conquered, I coredumped
DBAN to the rescue!
http://www.dban.org/
With the first link, the chain is forged.
When last I checked the military's policy on wiping hard drives was to wipe it, write 1s and 0s and then cut the drive in half and send each part to separate locations to be destroyed. Maybe they wanted to make a little money from selling them on Ebay instead of just destroying them. See what this economy is doing to people!
I doubt they were illegally sold - it's more likely to be a breach of procedure due to incompetance considering where it was from and what was on it. Also does it really matter in this case? Where is the real SCUD missile that the system managed to shoot down? That's right - there wasn't one and there has been press about that. Leaked plans for Starwars snakeoil are unlikely to do much damage but it's now a good excuse to get rid of projects that show incompetance at all levels. Lysenkoism drove funding for a lot of things that just sounded cool and never had to actually work, and once a company is aware of that it just becomes a cash cow tended by those without the ability to succeed elsewhere in the company or those that lose hope when they become aware that they are working on a sham project.
The data is much more valuable than the $20 or $30 bucks they can recoup from selling the drives on Ebay; I don't know why a government agency would risk doing this.
link please
Oh, you did not just say that striped drives are redundant did you? :)
...
With PXE network boot, remote desktop, virtualization ect. There is little reason that any information higher than "sensitive" would ever need to be stored on a disk that is outside a secure data center. I would like to see the governemnt do away with desktop computers completely in favor of thin clients or something similar.
Sometimes the best solution is to stop wasting time looking for an easy solution.
Where I work we purchased a plasma cutter for the sole purpose of destroying platters.
Ingredients: Turkey, Mechanically Separated Turkey, Water, Salt, Flavour.
Doubleplus ungood!
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.
You would think the policy is to destroy them not sell them on e-bay,
Everyone's so caught up debating the possibilities of recovering data from discarded hard drives that nobody seemed to notice this "article" is from the UK's finest tabloid, Daily Mail.
Wake me when we have a legitimate source.
Digital Sailor
Unclean Military Hard Drives Sold On eBay
*Starts yelling from the distance* UNCLEAN!!!! UNCLEAN!!!
Seriously though, somehow I picture this ending up on a Red vs Blue joke...bow chika wow wow!
100*40 gigs=100 drives each of which is capable of holding the operating system for a workstation. Also since he mentioned CD drives, maybe he is selling the entire used system. Also depending on drive technology, you may be able to work them into a RAID array, or the buyer might just want to slag them anyway for the component material.
That which is done from love exists beyond good and evil
It's amazing to me in this day and age that highly sensitive information is leaked via old hard drives. My understanding is this: a.) you have highly sensitive information on a hard drive b.) you thoroughly destroy the disk( magneto, powerful magnet, baseball bat) c.) you check to see if the information was destroyed d.) ? e.) PROFITS If this is not done, some sneaky cheeser is going to find a way to get your info. -- this does not include intentional leaking of info
Considering IT work is more or less outsourced to Bangalore even among Pentagon contractors, i doubt companies like Wipro, TCS do much in terms of keeping their client's work secret.
H1B's can't work on classified systems. If you're not a US citizen, you aren't even considered for those positions.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Just another indicator that any screams of "terrorists!" coming from our military-industrial complex are nothing more than a dog & pony show.
There is a war going on for your mind.
Why the hell is the military selling used hard drives in the first place? If there is ANY chance of there being ANY sensitive data on a drive, even in deleted files, they should physically destroy the drive or at least completely degauss it to the point of it being scrap. Even the private sector knows better that this! When I worked as a contractor for Intel, they would run ALL used drives through a conveyor belt driven degaussing machine that would render the drives unusable scrap because they did NOT want any I.P. recovered by third parties. Doesn't our own military know better than this?
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Truth hurts doesn't it?
Some days it's just not worth
chewing through my restraints.
I prefer the muriatic acid formatting approach myself. You know, just in case there are any confidential bits or bytes left in the drive's PCB traces or ICs, or sticking to the side walls of the platter enclosure. You can never be too careful....
Hats off to CmdrTaco who was arrested at home a few moments ago as a terrorists dangerous to national security, through publishing information likely to give comfort to and support the cause of terrorists, and disseminating information likely to aid terrorists and other enemies of the state.
blog.sam.liddicott.com
It is possible that the people who want to sell you a product don't want to announce the capability they wish to sell you is not necessary.
Besides, if the government is after you, they have such a variety of options to figure out what goes on (pin cameras, laser mics, various other forms of mics, analysis programs that can guess what you are typing, installation of keyloggers, and just simple acquisition with legal means like a warrant) that worrying about whether they may, beyond all known capabilities of industry, be able to recover data off your drive is absolutely hilarious.
If you're that paranoid, just never, ever do or say anything the government will pay attention to. In the maxima, this means never doing or saying anything. Ever.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
The THAAD system has never been deployed. It's always been a sore point for me -- typical headlines in Aviation Week are "THAAD fails tests for the third time in a row", or "THAAD deployment delayed yet again", or "THAAD does not live up to promises."
Kinda pisses me off.
Thad [just one A!] Beier
I love Mondays. On a Monday, anything is possible.
This was the first thing that came in my mind too!
They blame P2P when they put sensitive data on computers accessible on the net, or just sell it outright.
This latter could happen even if the internet wouldn't exist at all.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Some major vendors include "wipe hard drive" as one of the functions built into the BIOS.
It would be way cool if drives had a jumpers that if set on drive-power-on, would cause the drive to not connect to the bus but rather start writing random data to wipe the drive. Add a status LED that blinked a pattern based on the pass number in progress: "flash pause" for "in the middle of pass 1," "flash flash pause" for "in the middle of pass 2," etc., with a special blink sequence if any pass failed to write to all sectors including previously-marked-bad sectors. Store the results in the drive's nonvolitile RAM for read-back later and you have the means to certify that the drive was wiped.
Since on modern drives all but the most sensitive data is safe after a 1-pass wipe, this would make recycling computers much easier.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
They'd be easy to spot: just look for shiny hard drives (wiped) with the numbers 1010 written (hopefully using a sharpie) all over it!
Am I the only one that finds it peculiar that all that wildly different data was found on one hard drive? Security policies, social security numbers, facility blueprints, ...etc.? I mean, of course it's *possible*, but it seems a bit odd to me that such disparate kinds of data would all be on one server, let alone one hard drive.
This is addressed in the shred man page:
"The default is not to remove the (original) files because it is common to operate on device files like /dev/hda, and those files usually should not be removed."
If you shred the disk device, rather than individual partitions or filesystem entries on the disk device, you will get the swap areas and other relevant metadata. In the above example, /dev/hda1 may be your swap, and /dev/hda2 may be your filesystem. If you shred /dev/hda, both will be overwritten. If you shred only /dev/hda2, the swap will be preserved (which is not what you want). Under no account would you mount /dev/hda2 and shred files within it and expect secure erasure.
The shred manpage has specific warnings about journaling filesystems and other cases where your erasure will not be as secure as you would like.
You don't necessarily need to be working on the classified system to have access to the computer. Someone has to clean up the computer labs.
Hang on....let me adjust my tin foil hat.....ok..... This hard drive might have been deliberately put on ebay with the hope it would fall into the "wrong" hands.
Scary that they did not wipe it to Department of Defense standards, which I believe is wiping the whole disk and then writing 1010 all over it.
I've been using MCI's standard: writing 1010220 all over it, then taking the sale of the drive as a tax deduction for advertising expenses.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
...is the hard drive shredder, a machine that simply shreds complete hard drives to pieces. Apparently some large defense institutions showed interest at the time this invention was presented at "Dragon's Den" (a TV-show where people can request money from private investors).
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
They don't let just anybody into any area that contains either classified materials, or classified machines. You have to be cleared to even enter those areas much less access information. An unclassified person would not even be able to enter the room, much less touch anything in it. You're not going to be classified if you are not a US citizen...at least not normally.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Mindlessly easy to use, you can burn it onto floppies or CDs as a boot image, and effective.
I swear to God...I swear to God! That is NOT how you treat your human!
They do this "experiment" several times a year and they all come to the same conclusion; OHH WE FOUND THE SECRET DATA!
So is it really even news anymore? Shouldn't the new really be "We learned nothing since last time!".
I sold a 386 just a few years ago for $175.
How did I get so much for a computer you could find in a dumpster? Easy, the customers 286 was fried in a lightning storm. He used the thing with some very very old DOS based software that ran his embroidery machine. I happened to have a 386 lying around that ran everything just fine. Even installed Windows 3.1 on the thing.
Sometimes a 40 gig drive is a lot more valuable than a 1TB drive. Especially when it's the difference in replacing one old broken component vs buying all new hardware/software that you're not even sure will work with what you've got.
A friend of mine who worked IT for a firm that provided processing for insurance companies told me that he constantly took hard drives home and had ready access to lots more. Why? Because there was a storeroom, completely filled with hard drives ranging back to 10gig ones. The company has a policy that formatting the hard drives aren't enough, they have to be put through a machine where the entire hard drive is basically ripped apart and turned into screw sized scrap metal. The cost of this is roughly $20 per hard drive (iirc). At some point, it became cheaper just to warehouse them then actually destroy them. New hard drives that were to be destroyed then didn't have such a priority to be wiped. "Oh, just leave it there for now, we'll throw it in the room later." If it went missing, no one really cared.
The DoD does not sell harddrives on EBay, however gov't contractors that steal harddrives do (fact).
What I've been told is that all old harddrives are sent to specialists who wipe all data, then incinerate the drive.
I occasionally work for the Navy as a contractor.
I whack my old drives several good licks with a heavy hard-faced ball-peen hammer, then dispose of them. Much more secure than any DoD standard way of wiping the drive, especially if you peen the disk platters into a nice curved and sometimes cracked surface.
At least a mini series. Kinda like Mythbusters except they destroy hard drives each week a different way and then see what kind of information can be salvaged off them by real experts.
And this has been another installament of Captain Obvious!
"Taken from DoD 5220.22-M Wipe Standard:"
GAH!! Not this again. DoD 5220.22-M, full title "National Industrial Security Program Operating Manual", more commonly called NISPOM, is not and never was a wipe standard. It is a 150 page document that covers all aspects of the National Industrial Security Program (NISP). NISP is the jurisdiction for most commercial contractors doing classified work. Sanitization is about two paragraphs in this document. In every edition published within the past 15 years or so, I've never seen seen it get into specifics about methods -- it just says the CSA (Cognizant Security Authority) gets to set them. I've seen one document of uncertain origin, dated 1995, which did provide a list of methods, but there were several options depending on the nature of the medium and the data.
You can download the NISPOM from the official source here: https://www.dss.mil/GW/ShowBinary/DSS/isp/fac_clear/download_nispom.html Sanitization is Section 8-301(b) on page 8-3-1 (ordinal page 75).
Most NISP jurisdictions have to follow the DSS Clearing and Sanitization Matrix. As of ISL 2007-01 (Oct 2007), the C&SM does not permit overwriting for destruction. Only degaussing or physical destruction is acceptable.
Further, the degaussing standards require one to remove and degauss each individual platter. As someone else noted, degaussing a modern hard drive erases the factory formatting and renders it unusable.
For physical destruction, it's not enough to drill a hole through the platter, either. Every bit (pardon the pun) of surface area must be obliterated. Grinding, sandblasting, incineration, liquidation, vaporization, pulverization, etc.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"These have been superceded by NIST Special Publication 800-88:"
NIST does not have jurisdiction over DoD. NIST 800-88 doesn't supersede 5220.22-M. 5220.22-M is still in effect; the most current edition is 2006. (See my post here for where to get it.) It doesn't specify methods, though; as far as I can tell, it never did.
Most DoD and NISP jurisdictions are under DSS authority; the DSS publishes their own Clearing and Sanitization Matrix for this sort of thing. I discuss that in that post, too.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"While you're having fun, note that there is a good chance that the degausser just fries the electronics (by inducing strong currents where they don't belong) but leaves the data on the platters intact"
Any degausser being used to sanitize a hard disk which contained classified information must be purchased from the NSA's Evaluated Products List, and used in accordance with NSA standards. Those typically include removing the platters from the drive enclosure and degaussing them individually. I'm pretty sure it's more than just the electronics. Mission objectives aside, the NSA knows what they are doing.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Man, you Marines...
This should get added to the USMC mission planning. Have all branches/departments of the Fed. Gov't. turn over their HDD's to the USMC for destruction.
Use it as a 'punishment detail' for minor infractions.
Sounds like a perfect solution:
HDD's need destroyed
Marines needing punishment for that brawl in the bar
Marines are Masters of Destruction
Note:see 'subject', as I was 'smiling when I said that!'[former US Army dogface here]
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
I'll bet that results in some interesting 'pattern welded' trinkets!
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
"I don't think disassembling the drives is part of their procedure."
I remembered that being permitted, provided certain requirements were met by the degaussing equipment. I just double-checked, the EPL and it seems there is more such equipment than I remembered. Perhaps things have improved since I last looked, or perhaps my memory was just faulty. I know we were only interested in the cheaper hand wands, which do require disassembly, so perhaps my memory magnified that part of the document.
You can find the NSA Evaluated Products List online:
http://www.nsa.gov/ia/_files/Government/MDG/NSA_CSS-EPL-9-12.PDF
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Good Lord, and to think that the unfortunate soul who ended up with the drive is probably being waterboarded already for his/her troubles, as I write this.
Ok, back to work, this is too depressing.
MOE
SARAVA!
I'd like to see you try. Hell I'd even pay to watch.
I am the lawn!
Why don't they have the entire hard drive encrypted anyway so if one leaks through their deletion protocol, it isn't quite so bad?
Aren't those drives supposed to be degaussed. I think the procedure the author is talking about is dated. The company that sold the drive is probably kicking themselves since the sale of that hard drive is probably not going to cover the penalties and lost contracts the military will punish them with.