Reporters Find US Gov't Data In Ghana Market

narramissic writes "'Hundreds and hundreds of documents about government contracts,' were found on a hard drive purchased at a market in Ghana for the bargain basement price of $40, said Peter Klein, an associate professor with the University of British Columbia, who led an investigation into the global electronic waste business for the PBS show Frontline. The hard drive had belonged to US government contractor Northrop Grumman and in a made-for-TV ironic twist, 'some of the documents talked about how to recruit airport screeners and several of them even covered data security practices,' Klein said. 'Here were these contracts being awarded based on their ability to keep the data safe.'"

What a news scoop....*yawn*

[Ritz_Just_Ritz]

Yet another example of some bonehead "disposing" of old equipment without wiping the data first. Time to start cranking out those Pulitzer prizes. ;)

Re:What a news scoop....*yawn*

This is why I never sell used hard drives if they had sensitive data on them, they just get smashed , blown up, or burnt its more fun that way.

Re:What a news scoop....*yawn*

[wujing]

Gucci Watches

Contracts

[hellfish006]

They should lose their contracts for failing to wipe the data off the hard drives.

Re:Contracts

[Cheerio+Boy]

They should lose their contracts for failing to wipe the data off the hard drives.

They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.

Re:Contracts

[plover]

They should lose their contracts for failing to wipe the data off the hard drives.

They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.

They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."

There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.

Re:Contracts

[TheRaven64]

Then, the next time a contract goes out for tender, they will lose it. And, by 'lose' I mean 'win because they can demonstrate more experience than their competitors in this area'.

Re:Contracts

[Cheerio+Boy]

They should lose their contracts for failing to wipe the data off the hard drives.

They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.

They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."

There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.

ITAR is pretty strict but you're probably right in that they'll blame the recycling firm or some such nonsense. From my experience they can at least expect a fresh ITAR audit courtesy of the federal gooberment because there is now "reason to question" their security.

Personally I don't let a hard drive out of the building unless it's been at least wiped (non-secure data) if not destroyed (secure data). Usually I destroy them just to make sure.

Re:Contracts

[geobeck]

They should lose their contracts for failing to wipe the data off the hard drives.

What's so ridiculous is how easy it is to destroy data without investing in ultra-super-duper-mil-spec data destruction software. When I destroyed hard drives for my old company, I'd pull out the drive, take it down to the shop floor, and watch as one of our fabricators put a 1/2-inch hole through the platters with a drill press. It's theoretically possible that an expert who really, really wanted our data could have read something from the partial platters, but I guarantee that none of our drives ever showed up in use anywhere else.

And with the old IBM death stars, pretty much any possibility of data recovery was eliminated when those glass platters shattered inside the case as the drill went through.

Of course, this technique requires you to have a drill press or a good, sturdy hand drill somewhere on your site, but I think Northrop Grumman could afford one of those.

Re:Contracts

[Quantumstate]

If your policy included using encryption for your sensitive data then you should not get many issues of lost sensitive data.

Re:Contracts

They will not loose anything. Some poor slob will be scapegoated. I personally have been on the receiving end of that throat cutting. It's very simple, you sign a contract (yes, I was a sub-sub contractor) that says you will obey all their policies, which includes doing whatever the BNOM (Base Network Operations Manager) tell you to do. When he tells you to mult-home a server between secure and unsecure LANs, in clear violation of security policies and common sense, you do it because it's you job if you don't. When it gets caught, you're the one to blame. If you complain, you are told to follow normal policy (as per your contract) which requires you to complain through the BNOM!

The general contractor never takes the blame and always take at least 75% of the awarded contract.

BTW If you sue, they cut the BNOM's throat. You have his blood on your hands but still no money in your pocket.

Re:Contracts

[rpillala]

Or maybe the whole thing is secret under the aegis of War On Terror or National Security or whatever the fuck. I don't think we'll hear much more about how this turns out, and therefore no accountability.

Re:Contracts

[Gilmoure]

On the DOE side of things, hard drives don't get wiped, they get shredded. Have purchased a surplus computer that had been DOE owned and it had hard drive, optical drive, ram and video card pulled.

Re:Contracts

If your policy included using encryption for your sensitive data then you should not get many issues of lost sensitive data.

Any commerical encryption can be broken, it is just a matter of time. For really confidential data why risk it when there are cheap and effective means to make the data on a hard-drive unrecoverable?

Re:Contracts

[networkconsultant]

Government Sub-contractors are required to maintain liability insurance for instances like this.

Sadly, this poor fellow will be sued into oblivion; the minimum in Canada is 2 million, in the U.S. I don't even know.

Northrop is usually very good but the issue is that it's "Sensitive Informaiton" chances are the person using the system didn't follow the security protocols in place (i.e. Not storing classified informaiton in an Unclass environment).

It's for this very reason all of my file systems are encrypted.

As for Northrop they are responsible to meet all IT Security Policies in place by the Military, that's one of the reasons classified systems are soo damn expensive, you buy it for 5K, service it for 100K and then de comission it for 10K, if the guy is just taking the 10K and recycling it then you have a problem. Ideally the Hard drives should be wiped, degaussed, smashed with large hammers (hydraulic or sledges work well) or shredded and then thrown into an furnace. That is a NATO standard for classified information. It's a lot of labor and hence the 10K.

Re:Contracts

[tekiegreg]

Just to clarify a point, to be REALLY sure you want to wipe AND destroy, if there is even a fraction left of a HD platter it might contain a file that a pro could recover given enough time, money and patience.

Re:Contracts

[whoever57]

Personally I don't let a hard drive out of the building unless it's been at least wiped (non-secure data) if not destroyed (secure data). Usually I destroy them just to make sure.

I wonder how effective are the machines designed to bulk wipe hard drives (by bulk, I mean one whole drive at a time)?
Wiping by writing data has problems -- remapped sectors might be recoverable to someone with the right equipment and know-how and these sectors won't be overwritten using normal disk-wiping methods.

Re:Contracts

[hawkinspeter]

I'm calling bullshit on that - where's your citation?

Re:Contracts

[T+Murphy]

I don't see why it has to be so complicated. All you need is one question: Will it blend?

Re:Contracts

[TheBig1]

I don't know if this is flamebait, or just ignorance. While it is true that given enough time any encryption can be broken, what is not mentioned is how much time. A proven symmetric cipher (e.g. AES 256 or similar) which is implemented correctly can withstand attacks from current equipment for far longer than you (or anyone else on earth) will be alive. Why not use it, and if you are paranoid *also* destroy the drive when finished with it? Multiple layers of security never hurt anyone.

Cheers

Re:Contracts

[TheLink]

I haven't tested this myself but I think something like an oxy-acetylene cutter can be pretty effective and fast.

It will take a lot of effort to recover the data from the resulting molten puddles of metal ;).

If you want to wipe very many hard drives at a go, there's always stuff like thermite, furnaces and bessemer converters.

Re:Contracts

I'm calling bullshit on that - where's your citation?

You don't need citations for simple logical deductions. If there is even one valid method to decrypt an encrypted set of information it can be brute forced. Since commerically viable encryption software must have at least one way to decrypt the data, it is therefore theorectically possible to break the encryption. The obvious analogue is a door, a lock is not a problem for someone both willing and able to either force or fool it (in mechanical locks the process of fooling is called "picking"). Specialized tools can speed-up both, but sufficient force will always defeat either the lock or the door around it.

Now TheBig1 in different reply mentioned that some commercial encryption schemes take longer than a human lifetime to on present day equipment. This is of course true, but it is also true that both mathematical theory and computer hardware continue to advance. So what is for all practical purposes "unbreakable" today may not remain that way in the next five to ten years. On the other hand, several dozen of cycles of flipping all the bits on a drive to the same value, or the right electromagnetic field applied for a short time can make the data on an old drive permanently unrecoveralbe. Shredding works too, of course, but then the drive is totally unusable which is rather wasteful, especially when there are non-destructive alternatives are effective.

Re:Contracts

Encryption is less of an issue. If AES is implemented in a reasonable way (there are bad implementations of AES as well as good ones), there is no known way to obtain the data without the key.

What is attackable is how the keys are stored, and how keys are put in.

So, if a drive sitting on a shelf in Elbonia is encrypted via almost all FDE mechanisms out there, be it TrueCrypt, BitLocker, PGP, PointSec, Safeboot, WinMagic, BestCrypt, or others, the only avenue the bearer of the drive has is to figure out which program encrypted it, and then start brute forcing the passphrase, which can be almost impossible to do especially if the drive was encrypted using a cryptographic token, or TPM where the key could be anywhere in the keyspace, as opposed to what someone would type in.

Re:Contracts

On the DOE side of things, hard drives don't get wiped, they get shredded.

I thought they got "lost" behind photocopiers first? Joking, joking!

(No, we won't ever let you forget it.)

Re:Contracts

[metaforest]

Heat drive to 350C, and hold the temp for 30 minutes. There will be no magnetic information readable from that drive.... or what's left of it....

no hammers, no metal-shredder to jamb..... just a fairly low cost electric, tub-furnace, with a temp controller.

Comment removed

[account_deleted]

Comment removed based on user account deletion

When I dispose of an obsolete drive

[Peter+Simpson]

I disassemble it, remove the platters, mount each one in a vise and bend it by striking it with a hammer.

If they can get data off that platter, they're welcome to it.

Re:When I dispose of an obsolete drive

[rotide]

Sounds time intensive. While a little pricey, get a hard drive destroyer. Pop it in, hit go and it folds 90 degrees!

http://www.garner-products.com/PD-8400.htm

Re:When I dispose of an obsolete drive

[FudRucker]

thermite, lets see them get data out of a pile of slag

Re:When I dispose of an obsolete drive

[cbiltcliffe]

Not to mention...you have some fun in the process. :)

Although, I can't imagine running it through a DoD wipe with DBAN would be recoverable, and then the drive is reusable. We already have enough electronic junk going in landfills, so I find destroying drives rather than properly wiping them to be particularly distasteful.

Re:When I dispose of an obsolete drive

[Patrik_AKA_RedX]

My methode is much better. I install windows on it, have internet explorer start automaticly and open Slashdot. By the time they're done, the data is way to old to be of any relevance.
The rest of the drive I fill up with the combine works of David Hasselhof. Cruel, but effective.

Re:When I dispose of an obsolete drive

[Culture20]

I hope you don't do this with glass platters.

Re:When I dispose of an obsolete drive

[Peter+Simpson]

"Sounds time intensive."

Not as bad as you'd think. Electric screwdriver with torx bit, don't need to worry about keeping the screws "found", as I won't be putting it back together, and it's a few minutes a drive to get the platters out. But I don't do it too often...

Re:When I dispose of an obsolete drive

[cenc]

I have a fast and simple solution. I take my trusty drill and run the bit through the platter at least once to several times depending on the importance of the drive. Yea, someone could in theory super reconstruct the data, but not without spending hundreds of thousands if not millions of dollars more than the data was worth. For that kind of money, I would just give them the data. It is a simple, cheap, quick solution that in all but the most sensitive situations would be sufficient to keep the data from being recovered in 99.9% of all cases.

The thing people forget in all their bs about "just overwrite it with 0 and 1" is that hard drives are often being discarded because they have mechanical problems. The platter is likly still in good shape, just something else has failed that stops it from being mountable. My solution fixes both.

Re:When I dispose of an obsolete drive

[khallow]

A degausser is more useful IMHO. Fortunately, this product apparently can work with one.

Re:When I dispose of an obsolete drive

>thermite, lets see them get data out of a pile of slag

time machine, let's see how smug you are then!

Re:When I dispose of an obsolete drive

[BlackBloq]

David Hasselhof counts as a government secret! Or was that a weapon of mass destruction?!

Re:When I dispose of an obsolete drive

[Rich0]

I don't pretend to know all the regulations involved, but that website mentions that such a device is suitable for emergency destruction of top secret data.

In an emergency this probably would be a good tradeoff between security and time - you can't take three weeks to do an "emergency" destruction if your security guards are holding off a regiment of troops looking to capture your data (which I think is the actual scenario envisioned - maybe some paratroops drop in on your roof or something or there are rioters outside looking to break in).

However, I think that if a hard drive truly contained top secret data it would probably need to be almost completely incinerated to be secure - preferably to the point of melting the platters and destroying the memory chips. Top secret data potentially would be of interested to a very determined government - a merely bent hard drive could probably be read just fine with something like a tunnelling electron microscope. Sure, it would take quite a bit of determination, but if you're talking about the detailed designs and source code for an F22 or a nuclear bomb or something like that I'm sure somebody would be willing to go through the trouble. Reading the bits off of a bent hard drive has to be easier than building your own from scratch.

Re:When I dispose of an obsolete drive

[Dishevel]

Go back in time to when the hard drive still worked and....Its back in the secure facility. How smug are you now?

Re:When I dispose of an obsolete drive

[hairyfeet]

Same here, that is just stupid and wasteful, not to mention based on old wives tales. I have yet to see ANYBODY recover a DoD wiped drive. You'd think that one of those data recovery firms would brag about it if they had actually been able to pull it off, yet nada. Give them a good DoD wipe and then they can be reused in computers for the poor.

Even to this day I have no problem giving away a 400Mhz or better to somebody who doesn't actually have a PC. Just slap DSL-N and they have a nice clean desktop that is quite fast and a pleasure with to surf. I keep a 733MHz around to run Win9X for old games and to surf on when my main boxes are busy, and with 384Mb of PC100 and DSL-N it is a very pleasurable surfing experience. It is just stupid and wasteful to destroy those drives and make even more e-waste when they can be reused by those that don't have any. Single moms, homeless shelters, churches, there are tons of places that are quite happy to take a free working machine, and if everyone destroys the drive the cost of giving those machines away suddenly becomes too expensive.

So don't fall for old wives tales, DoD wipe and recycle. Good for the environment and your fellow man.

Re:When I dispose of an obsolete drive

[L4t3r4lu5]

Sounds like a lot of effort.

Find a local building work and give him £20 to put it on top of the next thing he attacks with a kango.

JD.

Re:When I dispose of an obsolete drive

[Proteus+Child]

Where I work, we get together about once a week to take ten or fifteen pound sledgehammers to decomissioned drives. Not only is it good for disposing of our clients' old drives but it's a great way to work off the week's stress. Remove the circuit board, take the screws out, separate the two halves of the drive's casing to expose the platters, and pretend you're playing Donkey Kong...

Re:When I dispose of an obsolete drive

[Proteus+Child]

Don't forget roasting marshmallows over the remains!

Re:When I dispose of an obsolete drive

[DavidTC]

I have yet to see ANYBODY recover a DoD wiped drive. You'd think that one of those data recovery firms would brag about it if they had actually been able to pull it off, yet nada. Give them a good DoD wipe and then they can be reused in computers for the poor.

Forget DoD wipes, it has never even been demonstrated it's possible to recover data from a single 00000000 wipe. No one has ever managed to read as much as a byte of data after it has been overwritten once with any value.

The whole thing is sheer paranoid lunacy. It has its origin when hard drives encoded data in a different way, and were a lot looser in where they wrote on the drive, so in theory parts of the signal could be left behind. But that was only hypothetical even back then, there was no way to separate the signals out, and hard drives are a lot denser and encode the signal differently now.

The only thing that makes a bit of sense is that hard drives can reassign clusters and leave data behind in bad ones, but you can get around that by using the right commands. It would be a hell of a lot more useful if the DoD would just invest in some external hard drive controller-type device to low-level format drives, and then when they're done turn on a huge magnet just to make sure.

And stop wasting all that hardware.

Re:When I dispose of an obsolete drive

[SydShamino]

Yeah, but there are thousands and thousands of old machines 400MHz and up, and most of those are willingly discarded or recycled by those with no sensitive data on them at all, or by those who don't know to wipe their own data off the drive first.

All of those drives are more than enough to supply the single moms, homeless shelters, and churches of the world. Meanwhile, other drives - those that actually have critical information where the consequences of release are high - can be destroyed.

If it makes you feel better, when they're done destroying them, I fully support having the metal melted down for some environmentally-friendly reuse.

Re:When I dispose of an obsolete drive

[Kabuthunk]

I keep wondering why people always bring up "drive destroying" methods when disposing of a hard drive. What about that Linux (I think) command that overwrites the entire hard drive with 0's? Wasn't there some website offering a pile of money to any data-recovery place that can get anything off of a drive that's had that done? And hasn't pretty much every data-recovery place either failed, or refused to even try once they heard that this command was used?

So... why no just use that command? At least the drive is re-useable after.

Re:When I dispose of an obsolete drive

My methode is much better...

Is that like a diode, but made of meth?

Re:When I dispose of an obsolete drive

[fm6]

Jeez, talk about overkill. For most purposes, wiping the disk is perfectly adequate. If your hat is made of tinfoil, use software that implements DoD 5220.22M. But really, if you're up against somebody who can recover data after even a basic destructive overwrite (someone like the NSA), they already know all your secrets — assuming they even care that you exist.

Re:When I dispose of an obsolete drive

[rotide]

It may be overkill, but that has NOTHING to do with what is and isn't reasonable for your employer to set as a policy.

If they want to be able to tell their clients/customers that their data will literally be destroyed when the server is decommissioned, so be it.

Re:When I dispose of an obsolete drive

[hplus]

I think the problem was that the "pile of money" offered was really that the security firm could keep the drive afterwards. The drive was only 40 gigs, making the pile about 35 dollars tall.

Re:When I dispose of an obsolete drive

[evilviper]

and then when they're done turn on a huge magnet just to make sure.
And stop wasting all that hardware

Erasing the the whole drive with a giant magnet (ie. not JUST the data area, but also the tracking informatiion encoded ny the manufacturer) is every bit as bad as physically destroying the drive. You certainly won't be using it ever again, unless the manufacturer is specifically involved in refurbishing it (which probably is probably too expensive to be worthwhile).

Re:When I dispose of an obsolete drive

[fm6]

What do you mean by "literally destroyed?" Taking the disk apart and smashing the platters with a hammer? Somebody with the right resources could still reassemble the disks and recover the data. Perhaps you need to dissolve them in acid? Expensive, and there are environment issues.

Show me any evidence that somebody has been able to recover data on disks wiped by DOD-grade software, and I'll concede that you have a point. Going beyond that just so you can claim it's "literally destroyed" is pure security theater.

Re:When I dispose of an obsolete drive

[mlts]

At some places, not just government offices, but private companies, they use thermite packages to destroy hard disks. The hard disks go in the enclosure, thermite packs are laid atop the drives, cover is closed, and the stuff is ignited. The result is metal slag that goes to a scrapyard for recycling.

Even if any data remained on an unmelted part of the drive, the hard disk would have been heated far beyond the Curie point so any data on it would be long gone.

Re:When I dispose of an obsolete drive

[Dare+nMc]

turn on a huge magnet just to make sure. And stop wasting all that hardware.

FYI the magnet doesn't help with destroying data, or saving the drive. I attached the biggest magnet I could find to a unused hard drive, and booted the computer, it booted but started making a horrible scratching noise. I shutdown and took off the magnet couple tries over a couple days, and the drive was dead (same horrible noise. Let it sit for 2 weeks, and whatever bent/magnetized metal in the drive recovered enough that all of the data was then readable, drive still works (poorly) with 99.9% of the data still intact.

basically any degaussing hardware would destroy the data on the platter at the same rate as the magnets powering the device. Any mostly static magnetic field will just destroy the hardware before the data.

Re:When I dispose of an obsolete drive

Having some experience in the data recovery industry, I can tell you that it's quite possible to recover data from a drive that's been erased in this manner. It's just very, very labor intensive. It's not a matter of running a special recovery, it's actually looking at the signal returned by a very precisely aligned hard drive head (through a scope, none the less) and inferring the likely original bit, running that through the encoding mechanism used by the drive, and figuring out if you guessed right - and when you didn't (most likely), trying again. Over and over and over. Literally byte by byte. You want to spend 100 hours to discover that the *one* file you just recovered is AUTOEXEC.BAT? Not hardly. Yes, it's possible.

Think of it as similar to trying to reassemble a 50-gallon drum full of cross-cut shredded paper. Can it be done, given enough effort and interest? Sure. Are most people/companies/governments likely to try it? Not unless you believe the data contained therein is VERY, VERY valuable.

Re:When I dispose of an obsolete drive

[Kadin2048]

Just taking the drives and boring a hole in them with a drill press, or dropping them in an industrial shredder, has several advantages:

1. It's faster.
2. It can be done by someone with minimal training.
3. It's obvious -- no confusing a 'safe' drive that's ready for the trash with an 'unsafe' one that hasn't been decommissioned.
4. It's satisfactory -- when you do a drive wipe, you have to explain to clients why it works. If you just destroy the drive, how it works is obvious.

Wiping the drives is obviously better from the perspective of a home user, or if you only have one or two drives to wipe and aren't going to get them confused. It's effective and it lets you re-use the drives. Win/win.

But if you had a stack of 50 of them, and you didn't care about reusing them and they were all headed for the trash anyway, and all you wanted to do was eliminate the data risk as quickly as possible? Destruction is easier.

Personally the only time I've physically destroyed a drive was when the mechanism died and it wasn't possible to wipe it. It was probably safe to just toss in the trash, but over the years I've had drives suddenly come back to life once in a while, and I didn't want to take the risk that somebody might plug it in someday and pull a couple of files off before it conked out again. So I just drilled a couple of big holes in it, enough so that you'd never get the platters balanced and spinning again, and didn't think another minute of it.

But the average system that I'm selling on CraigsList or something, or giving away? I just pop a copy of Boot & Nuke in the drive, take it through the random 1/0 cycle, and out the door it goes. Anything else is an unnecessary waste in my case.

Re:When I dispose of an obsolete drive

[hairyfeet]

Wow, way to miss the point. The point is there is NO reason to destroy them in the first place. There are plenty of FOSS tools that will do a standard DoD 7 pass, and there has YET to be a single drive shown to be recoverable from a three pass wipe, much less a 7 pass DoD. Which makes the destruction of those drives stupid, pointless, and a complete and utter waste of resources for NO reason.

It would be like me starting a rumor "OMG! Teh RAM keeps images of teh stuff days after being unplugged! Kill it with fire!" and then suddenly companies start throwing RAM sticks into fires all across this country. That old wives tales was started in the days of the old style drive encoding (MFM encoding maybe? Too long ago for me to remember) when the drives were a LOT sloppier when it came to tolerances and data consisted of .txt files. Today the modern drive has tolerances too extreme for that kind of sloppiness, and even if you somehow managed to recover a "bad" sector (which is marked bad for a reason, you know) the simple fact is with today's multi-MB docs and Excel sheets and the tiny sectors we are talking you would get back ZERO usable anything.

So I repeat: It doesn't matter if we "have plenty" just as it doesn't matter if you can buy lots o' gas for the Hummer, both are still a total waste. At least with the Hummer you are getting SOME kind of use of it, instead of pointlessly wasting resources based on old wives tales. But believing that old wives tale is a total "OMG! Kill it with fire!" moment, and those drives could be re purposed to do some good instead of ending up in a landfill, or wasting even more energy trying to recycle something that was perfectly usable before. Myself and many other across this great country have no problem finding folks that can use that stuff, and I am even happy to give the companies FOSS tolls and wipe onsite.

Re:When I dispose of an obsolete drive

[uncqual]

One word: Thermite

(and, it's more fun in addition to being quick, easy, and quite convincing - although it can call attention to you if you live in an apartment or townhouse!)

Re:When I dispose of an obsolete drive

[metaforest]

Drawing on a previous comment about drive re-use...

I can assure you a degaussed ATA compatible drive will never store data again, unless the manufacturer put it through QA again. Once the servo tracks are lost thats it. Game over.

It's not like the old SCSI days where the controller formatted the drive from scratch when you sent the FORMAT(char sector_interleave) command to the drive, which wrote the servo tracks to the drive.

Re:When I dispose of an obsolete drive

[fm6]

Sorry, that's dumb. Unless you're talking about something really sensitive (like nuclear launch codes) a DOD-grade wipe program (such as Boot and Nuke) is more than adequate. It's extremely hard to recover data from such a drive, and it's simply beyond the resources of your common identity thief.

Plus it leaves you with hardware that people can still use. Physically destroying a drive to protect your social security number is a bit much. Especially if such sensitive info on your drive is encrypted, as mine is.

And if you do have nuclear launch codes on your hard drive, your procedure is not even close to adequate. Most of the platters are still intact, and it's quite conceivable that a determined expert unconstrained by cost could recover data not in the bore holes.

Brilliant!

[siddesu]

'Here were these contracts being awarded based on their ability to keep the data safe.'"

Diversion wrapped in a diversion cloaked in a diversion. I bet the spies who read the contracts went out of their ways to break the procedures outlined in them, wasting precious time and resources instead of just getting em on the cheap in Africa. Where is your Isser Dzerzhinsky now?

They found...

[iamapizza]

some of the documents talked about how to recruit airport screeners

It contained a link to monster.com?

Re:They found...

[pjt33]

Airport screeners know how to use monster.com?!

Re:They found...

[Hurricane78]

Where else would you find a girl to love these monsters?

I guess filesystem FAT32 or NTFS *g*

[kubitus]

managers give presentations designed to fascinate preschoolers and top-decisison maker alike

and not think of real consequences.

Umm.. that's not how it works

[QuantumG]

It's a long standing complaint that governments keep information about contracts secret for the benefit of the contractors. Now you're complaining that a contractor didn't keep information about their contracts adequately secured? Are you stupid or something? The US taxpayers have a right to know the details of these contracts.. but they are denied that by commercial confidentiality concerns. If you want to cry a river for someone, think about the shareholders, but don't go blathering on about "secret government contracts" because they simply shouldn't exist.

Re:Umm.. that's not how it works

[langelgjm]

.I thought the same thing at first, but then I read the rest of the summary:

some of the documents talked about how to recruit airport screeners and several of them even covered data security practices

Typically we're interested in contracts during the bidding process (to make sure the public is not being ripped off), and later on, to see that the contractor actually delivers the goods. But "transparency" doesn't mean everyone needs to know the details of how Northrop Grumman builds its missiles or whatever.

Re:Umm.. that's not how it works

[Opportunist]

I think it's asking a bit much of the US taxpayer that he should be required to go to a local market in Ghana to buy the info. It should be provided by the government.

Besides, this is a company providing the info. I'm not really much into socializing everything, but dammit, there are some things that belong into government hands!

Re:Umm.. that's not how it works

[drinkypoo]

some of the documents talked about how to recruit airport screeners and several of them even covered data security practices

Typically we're interested in contracts during the bidding process (to make sure the public is not being ripped off), and later on, to see that the contractor actually delivers the goods. But "transparency" doesn't mean everyone needs to know the details of how Northrop Grumman builds its missiles or whatever.

The whole TSA/airport security thing is theater, it would still be trivial to get a bomb onto a plane, or to get a squad of terrorists onto same with some crappy weapons. It is not possible that any meaningful details of airport security were leaked because:

1. There is no airport security.
2. Security by obscurity is no security at all
3. The terrorists can probably trivially get a copy of the security procedures anyway.

Re:Umm.. that's not how it works

[STSvatos]

The issue is not whether they should exist or not, the issue is this information most likely contains sensitive information relating to national security. "Some of the documents talked about how to recruit airport screeners and several of them even covered data security practices" This information could be used to "get a foot in the door" or allow someone to figure out a way around NG's data security.

Re:Umm.. that's not how it works

[T+Murphy]

But "transparency" doesn't mean everyone needs to know the details of how Northrop Grumman builds its missiles or whatever.

As long as said missiles are made of glass or similarly see-through material it's good enough.

Re:Umm.. that's not how it works

[metaforest]

wow it came from a 5 digit ID it must be gospel....

ffft

Still?

[wjousts]

From the article:

The drive had belonged to a Fairfax, Virginia, employee who still works for the company...

But for how much longer?

Re:Still?

[Ritz_Just_Ritz]

Did you even read the article? It doesn't appear that the employee was at fault. The computer was "disposed of" by some outside company. Allegedly, they are responsible for sanitizing the hardware prior to binning it or parting it out.

I would expect, however, that this "outside firm" is wondering if they still have their contract with Northrop Grumman. I suspect not.

Re:Still?

[tibman]

NG said it went through an outside firm, that doesn't mean it did. Not only that but this could have been from a personal computer.

Northrop Grumman is a business. Their employees don't take an oath to support (or defend) the constitution. It's all about the money.

Re:Still?

[Rich0]

Gotta love modern business.

If some part of the business is expensive (usually because it requires following regulations or requires the company to be safe) it gets outsourced. The main qualification for the outsourcer is that they are dirt cheap and that they sign off that they do everything by the book. Then when it turns out that they don't do things by the book they get fired (after making profits for 10 years), and then the contract is put out for bid again and the cheapest supplier is again hired.

Meanwhile, all the outsourcing contractors who actually do things in a reputable manner go out of busienss since they can't compete on price with companies that will happily sign the agreements and then not follow them.

The solution - hold companies responsible for the actions of their outside contractors. Then we'll see actual due diligence. It works this way in at least some industries - particularly anything FDA-regulated. If 30 people go blind because J&J is supplied with defective saline to package their contacts in by no-name-salt-co, then J&J will have products pulled from the market and will need to satisfy lots of regulators before being allowed to put them back on the market. As a result, companies like J&J regularly inspect their suppliers to make sure that their lucrative business isn't shut down.

Bargain basement???

[fuzzyfuzzyfungus]

$40 for a used hard drive of unknown provenance seems pretty high, unless you are talking about a considerably cooler than ordinary drive. Methinks that those journalists were haggling about as effectively as someone with an expense account for the story might be expected to.

Re:Bargain basement???

[Opportunist]

Depends on how it was marketed. I mean, how much would you pay for a use HD from NorGrum?

I'm fairly sure a HD once used in the development area of MS can fetch a nice price.

Re:Bargain basement???

[adosch]

$40 seems steep, but the size of the hard drive wasn't even list ITFA, and there was definite intent and motive to go find some secret government/contractor data on a piece of computer hardware, too, by the journalists themselves. So it's evident price or need of a hard drive wasn't an issue. With dumpster diving and shady data mining practices that have been at least publicly practiced over the last decade quite over announced, have people not learned to wipe the data on their storage devices? I pitty the "outside" company who is suppose to be in charge of doing that (or so NG claims). At work, it's kind of a break from the pace to sit down with a bunch of servers, and let DOI standard wipe policy chug away. It's not like you have to constantly monitor it; should be one of the easiest things do to on the side.

Re:Bargain basement???

[dnwq]

It's reasonable to assume that electronics may be more expensive in Ghana, so a used HDD may be worth more. But, yes, foreigners haggling probably can't get a good price anyway.

Re:Bargain basement???

[maxume]

If the 5 minutes of PBS that I caught were the correct five minutes, it was sold in an open air market, marketed as 'working'.

Re:Bargain basement???

[StormReaver]

I think the "bargain basement" reference was to the value of the information contained on the hard drive, not the hardware itself.

Re:Bargain basement???

[Culture20]

A used 300GB Ultra320? I'd pay $40 if it worked at sale.

Re:Bargain basement???

[Opportunist]

marketed as 'working'

See? That's already a lot more than what can be said about other NorGrum hardware!

Re:Bargain basement???

[drinkypoo]

$40 for a used hard drive of unknown provenance seems pretty high, unless you are talking about a considerably cooler than ordinary drive.

I paid $125 for my external hard drive, and that is STILL a good price (this was a year ago, on deep discount at costco)

$40 might be a fantastic price, especially in Ghana.

Erasure Device?

[Midnight+Thunder]

Does anyone know if there are any stand alone devices designed to erase the data on a hard drive? I am thinking something you plug in and it then goes about erasing all the data (I am thinking simpler and cheaper than a PC). I doubt a magnet would be a reliable solution. While destroying the HD physically is a solution, it prevents the drive being reused.

Re:Erasure Device?

[fuzzyfuzzyfungus]

I suspect that there are dedicated devices; but I'd be shocked if they are any cheaper or much simpler than a basic x86 with some easily accessible drive bays and a copy of DBAN.

Re:Erasure Device?

[plover]

While destroying the HD physically is a solution, it prevents the drive being reused.

Destroying the drive physically has a benefit beyond the obvious that the data is rendered unrecoverable. The more critical benefit is that if you have two crates of disk drives to destroy, you can look at them and know that the crate full of smashed drives is the "done" crate. That's especially important when you have an unskilled labor pool doing the work. You post a guy at the door with a clipboard ensuring only smashed drives are allowed to leave the building. It doesn't take a computer scientist to do that job correctly.

Wiping the drive and selling it has much less benefit than you might think. The value of the used drive is tiny -- especially since you still have to pay someone to track it through the wiping process, and you have to pay someone to wipe it. When you finally sell it, you might make a dollar or two at most.

Compared to the cost of the risk of losing data, it's a false economy to think that salvaging drives is a smart choice. Just the legal costs Northrup Grumman is about to go through over this one far exceeds the amount of money they have now or ever will make selling used drives.

Re:Erasure Device?

[cbiltcliffe]

I'd think anything that specialized would be so low volume as to be as expensive as a PC, even though it's much simpler.

My suggestion:
Next time you or a friend upgrades their computer, or you find one on the side of the road (maybe with data on it..), or whatever, grab it.
Pull all the nonessential parts - HD, vid card if it's got onboard or you have a low power junker sitting around - so it uses less power. Cut a hole in the side of the case, and run a PATA and SATA cable, and appropriate power cables out the hole. Or just run it with the cover off. It's not like it'll run often....
Have a CD drive in it with a copy of DBAN in the drive.
Plug in a drive, hit the power switch, and walk away.

Re:Erasure Device?

[jps25]

DBAN http://dban.sourceforge.net/

Re:Erasure Device?

man shred

http://www.oreillynet.com/sysadmin/blog/2005/03/please_for_the_love_of_all_tha.html

Re:Erasure Device?

I work at an IT department for a University. We use an electromagnet to destroy data on our drives. Just plug it in and swipe it back and forth on top of the drive for 20 seconds or so guarantees the drive is unreadable.

Re:Erasure Device?

[1u3hr]

Destroying the drive physically has a benefit ...

And it has cost: you have turned a useful piece of hardware into electronic waste. For all the waffle talked about using electronic microscopes, etc, to read a wiped drive, is irrelevant. This drive was not wiped. It was just unplugged and sold as-is.

I don't believe anyone has demonstrated being able to read data in any useful quantity (not just a few bytes here and there) from a wiped drive, even one simply overwritten with zeros in the most simple-minded fashion. All the articles I've seen cited about this are theoretical. Data recovery firms can recover data from formatting and some kinds of physical damage. Never heard one say they could recover wiped data.

Go ahead and claim that the NSA can. You and I will never know what they can do.

Re:Erasure Device?

[kubitus]

erase3 and erase55

Floppy disk Linux distro deleting all HD in its reach by writing all 0's then all 1's then random patterns.

takes a while but no need to watch it.

Re:Erasure Device?

[pedestrian+crossing]

This company sells a thing called the "Wipemasster" for mass wiping of up to 9 hard drives at a time.

Simpler than a PC, definitely. Cheaper? Not really at $2500...

Re:Erasure Device?

[stickmaster_flex]

dd if=/dev/urandom of=/dev/sda

Re:Erasure Device?

[Sulphur]

Speaking of pata, one can make a cable that writes to a bunch of drives at once. This does not put servo tracks at risk.

Re:Erasure Device?

[Dare+nMc]

I doubt a magnet would be a reliable solution.

I tested the magnet approach with a old laptop drive, it is not a effective method.
IE I got too of the best magnets I could find, 100# vertical hold stacked them on top of the drive, and booted the laptop. it booted, then started making scratching noises (apparently either the write head, or the disks were deflected by the force enough to rub) The drive did quickly become un-useable. 2 days later, still un-useable. 2 weeks later, the drive was 100% fine, whatever was magnetized/bent from the exposure recovered and the drive works 100%, very little data loss.

Basically a mostly static magnentic force has no effect on the data on the platters, the force of the magnets is bad (like dropping the drive)

Re:Erasure Device?

[Midnight+Thunder]

Data recovery firms can recover data from formatting

For clarity, this is often since formatting simply writes the bare minimum for the disk to be useable. To be really sure you need a low-level format that writes random 1s and 0s to the whole disk.

Re:Erasure Device?

[Midnight+Thunder]

Just took a look. It isn't cheaper, but given the number of drives it can do at once, it is probably more convenient. I am sure their security budget would cover that easily.

Re:Erasure Device?

[plover]

Destroying the drive physically has a benefit ...

And it has cost: you have turned a useful piece of hardware into electronic waste.

That's the problem. You seem to be saying that "waste" and "cost" have some magically significant difference. But everything boils down to cost: smashing the drive into aluminum and glass and fiberglass shards costs you time, labor, disposal fees, and the lost opportunity to resell or reuse the device. Wiping the drive has a different cost: labor, tracking, and the risk that the drive will not be properly wiped before resale. My point is that risk has a higher cost than anything else above, by a very wide margin.*

(Whether or not a 10GB six-year-old hard disk has any actual "useful" value is a different discussion. And a smashed drive can certainly be recycled into component minerals, and does not have to pollute anything anywhere. Disposing of it in an ecologically responsible manner is always an option.)

Also keep in mind that this is not simply wiping and reselling a dozen drives from the sales department. With a company the size of Northrup Grumman, we might be talking about 30,000 drives a year from each round of desktop upgrades. That volume requires a well defined process to ensure that each and every drive is properly end-of-lifed.

I have a lot of experience watching Corporate America screwing up the simplest of tasks (including hard drive disposal.) So you hire a firm to wipe those drives but forget to ship them to him. Or the contractor in Tulsa who disconnects them from the desktop doesn't know about the wiping step. Or the instructions get confused and the shipper sends them from the desktop location directly to the reseller. Or the shipping label falls off the box and the drives end up at FedEx's lost-packages auction. Or the wiping guy you hire screws up pallet #37 and doesn't wipe them. Mistakes happen.

It doesn't matter if wiping is 100% effective or 99% effective, or if the NSA can or cannot recover the data. Failing to wipe the drive is the real risk; even a PBS reporter can recover unwiped data!

The best way to avoid those mistakes (to mitigate the risk) is to make the end-state for the drives be a slag furnace instead of a reseller. Even if the guy forgets to smash all of them, the next stop is to drop them in a vat of molten aluminum, not to send them to Ghana.

John

* The risk can be roughly calculated as: the chance that the wiping of a specific drive will be missed, times the number of drives to wipe, divided by the percent of drives that might have value on them, times the cost of the exposure of that valuable data. If you're a government contractor with Top Secret data on a drive, that cost might be the value of your entire business plus penalties plus jail time. If you're a retailer the cost might be lawsuits from Visa and a bunch of angry customers. If you're at home with a drive full of the kid's homework and some downloaded games, the cost might be nothing.

Re:Erasure Device?

[mlts]

At my last job, I used DBAN in combination with HDDErase when reassigning machines from one department to another.

HDDErase which tells the drive to do a secure erase on the controller level, erasing even remapped tracks. Then, I run DBAN, and it saves a confirmation that the drive was erased to a floppy, and that is kept as an audit log.

In reality, either method will do the job. However, HDDErase gets parts of the drive that DBAN doesn't, and DBAN generates a good audit file. Should something come up about allegiations of leaked data, I can show due diligence in ensuring that data (mainly licensed software that was licensed to one department but not another) was erased.

Re:Erasure Device?

[1u3hr]

But everything boils down to cost:

Not for everyone. Creating toxic waste by destroying a useful article may financially be the optimal choice, but it's objectionable on other grounds; morality, social responsibility. But apparently you don't think these matter.

And if a company can't work out how to be sure they erase a disk before they dispose of it, I submit they can't be trusted to do much at all. Obviously they also thought "everything boils down to cost" and chose the lowest cost option, some contractor who possibly even paid them to take away the disks while promising to erase them. That does not invalidate the whole idea of erasing and recycling the disks. It just shows you that focusing solely on "lowest cost" has risks.

Re:Erasure Device?

[plover]

But everything boils down to cost:

Not for everyone. Creating toxic waste by destroying a useful article may financially be the optimal choice, but it's objectionable on other grounds; morality, social responsibility. But apparently you don't think these matter.

My opinion matters some, in that I have a say in how my corporation disposes of some of our used equipment. But my post is not just our experience, it's an observation of how most big corporations do business, and how engineers and managers are taught to evaluate decisions like these. Corporations make most decisions based on money, because it's the only universal score card they know. Some corporations certainly try to "do good" or "be green", (or at least take credit for it when it's easy to do so) but that's still no excuse for being stupid or careless with sensitive or regulated data.

And I've seen people make all kinds of mistakes. When you're dealing with hundreds of locally contracted service people and installers, not every one turns out to be a rocket scientist. Simple instructions ("remove drive, record serial number on form, smash drive with big hammer, give smashed drive to supervisor, supervisor counts smashed drives, puts smashed drives in box") are the most reliable. The shipping errors, box confusion errors, all those are very real problems we've experienced. Smashing the drives on site is the most reliable protection mechanism we have. (Even though any remaining sensitive data would be public key encrypted, it's just not worth the risk.)

Personally, I think that the drives should be recycled instead of resold for a different reason: drives older than just a few years are not clean. They are not RoHS compliant. They are not energy inefficient. Their motors consume twice the power of newer drives, and if you're trying to achieve the same storage with four 100GB drives that you can do with a single terabyte drive, you're now wasting eight times as much electricity. I also think that buying old drives is a poor value: drives have a very finite lifetime, and the previous owner used up the best part of it. You're buying a pre-lit fuse.

Finally, you are all worried about "toxic waste". Yes, in this news story the drives were irresponsibly sent to a third-world country where they are being dumped on the ground and probably delivering heavy metal toxins to the local people's ground water. But I know there are smelters (at least here in the United States) who can responsibly recycle the components. It takes about 1% of the energy to recycle aluminum than it did to refine the ore. Smelters also recover gold and other precious metals from the slag. The lead is recovered. The silica is inert. Filters (when installed) can trap the particulates. It doesn't have to be a "dirty" process, if you're willing to pay for responsible disposal.

For example, I had a few dozen hard drives laying around my house and I decided to get rid of them earlier this year. Rather than try to spin them up and erase them all, I opened the cases, recovered the magnets, pulled the platters, stripped all circuit boards and any solder connections I saw, and brought them to the smelter. It cost me $0.15 per pound to dispose of the items that had lead (it totaled less than a dollar.) The rest of the pieces, copper wires, aluminum frames, steel bearings and such, all were accepted for free. It probably took me twenty minutes each to strip them, though; the instructions to do it would have been too complex for my manager let alone the dozens of remote install crews, and I don't know if a corporation would budget that much money for disposal.

I also now have an awesome collection of neodymium magnets! :-)

Re:Erasure Device?

[1u3hr]

When you're dealing with hundreds of locally contracted service people and installers, not every one turns out to be a rocket scientist

Yeah. And again, this is caused by simply trying to do it at the lowest possible cost. I could, in 5 minutes, work out a simple cheap, effective way to do this. (Old PC with removable drive bays: erase, image with FreeDOS, DSL or whatever and show a boot screen. Stamp drive with "CLEANED" label.) If it's an important problem -- and it is, as the "cost effective" method demonstrably fails over and over, the lowest bidding contractor not having any incentive to give a shit about cleaning off another company's data -- it's worth working out a system. And "Smash with a hammer" is such a system, but in my view, an irresponsible one, not to the company, but to society.

Even though any remaining sensitive data would be public key encrypted, it's just not worth the risk.)

If you can crack public key encrypted data, contact the NSA and FSB, see how many million dollars you can get for the method.

if you're trying to achieve the same storage with four 100GB drives that you can do with a single terabyte drive...

Sure. But if all you want is one 100 GB drive, it's fine. (My laptops have 12 or 16 GB, and are half empty. My PC has 80 GB, one day I'll upgrade it, but am in no rush.)

People who buy used hardware know the limitations. And if you have old hardware, the only reasonable source for compatible parts is the used market. (IDE drives, old laptop RAM, Laserjet accessories....)

Re:Yea

[rhook]

Those "locks" do nothing to protect the data, and the drive still spins up when power is applied. You can even retrieve the password if you know what you're doing. Full drive encryption is a much better solution.

Encryption

[sleekware]

Perhaps they should start full-disk encrypting their hard drives. Being a government contractor, especially a government contractor that deals with security, encryption as a requirement is not a bad idea. Of course the disk still should be properly wiped before being disposed of.

Cheaper option: Rifle

They make nice targets. Even the NSA would be hard-pressed to get data off of platters with bullet holes in them. I have seen this done with a high-velocity 7mm bolt-action rifle. VERY effective. Auditor asks how we ensure that hard drives are erased when they are taken out of service. Of course we erase them before using our "special process". Showed them a few samples, bullet holes and all. No more questions about hard drive erasure.

Re:Cheaper option: Rifle

[SydShamino]

Do you shoot the rifles inside the secure office area? No? Do you carry the drives outside of the building and shoot them in a less secure area of your campus? No? Do you take them off site and shoot them at a range somewhere? Yes?

You're not as secure as you think.

Re:Cheaper option: Rifle

It's funny how people go all alarmed about the milligrams of heavy metals in e-waste, such as a hard drive, which gets buried in a sanitary landfill. But blasting it open with a good-sized chunk of lead and spewing the resulting fragments all over the place is OK, though.

Re:Cheaper option: Rifle

> Do you shoot the rifles inside the secure
> office area? No?

Yes, actually

> Do you carry the drives
> outside of the building and shoot them in a
> less secure area of your campus? No? Do you
> take them off site and shoot them at a range
> somewhere? Yes?

No.

> You're not as secure as you think.

You're presuming. Good work, glad to see the old slashdot habit of making random statements and taking them as fact is alive and well.

Keep it up, chipper.

Linux CD

[fenring]

Yes, it's called a linux bootable cd. It turns out it's quite cheap as well.

Geez. No excuse. EABOD.

[bobdotorg]

How tough is it DBAN (Darik's Boot And Nuke) a PC before sending it to the disposal company?

This employee should be forced to EABOD (Erase A Bunch Of Disks).

Since when was data totally secure?

[Bob_Who]

The only secure information is never written down or told to other people.

Re:Yea

[drinkypoo]

Those "locks" do nothing to protect the data, and the drive still spins up when power is applied. You can even retrieve the password if you know what you're doing.

This might be possible if you know the drive very well; the vendor might have a tool which can handle it. But you need to know the manufacturer's comment to print the HDD lock code, since there is [obviously] no standard ATA or ATAPI code to do so. If there were, hacking Xboxes would be a hell of a lot easier.

me smell's B.S

not that this does'nt happen, i just find the story unlikely , reporters go to a random market in a random country and find this disk. more likely they had the disk beforehand and just made up the market bit.

Re:me smell's B.S

[Mikkeles]

... likely they had the disk beforehand ...'

As though getting hold of this disk beforehand isn't also a security failure? Where and how they got it isn't the real story.

Re:me smell's B.S

[codegen]

The link given in the summary is a horrible article. IT was actually Canadian Journalism students, and they were working on a story about ewaste. It wasn't just some random country, they were following leads from North america. Better links are at the register and at the CBC.

Name of outsourced company?

Here's the $64,000 question - what was the name of the data destruction company that obviously failed to perform to the contract specifications? Everyone here needs to know that.

Northrop-Grumman almost certainly outsources this part of their IT. They may outsource other parts. I worked at a competing company that placed a bid on a NASA IT desktop management contract. N-G won it because they were the low bidding submission. Many of the people that already had the contract just changed badges from X to N-G and took a 15% pay cut. Nice. I was just on the proposal team.

Proprietary documents don't usually get treated like SECRET documents because there isn't jail time if the contract isn't followed.

Re:Name of outsourced company?

[HikingStick]

It doesn't matter whether N-G handled it in-house or subcontracted the task. It was their responsibility to make sure the data was kept private or properly destroyed. If it was handled by a subcontractor, there should have been oversight provisions in place. While a subcontractor may have made the ultimate error, it does not clear N-G of its responsibility.

Position Sensitivity

The sensitivity of the position determines what types of legal paperwork was signed. Upper and first level management set the tone for how seriously any violation of contracts and laws are since it is unlikely any violation will ever be known outside the company. To me, an "Oath" is less important than a contract, but I'm an atheist and think all the people talking to themselves are crazy and stupid even if they call it "god."

I've signed many legal agreements concerning sensitive data for companies and the US government. My employer never new some of the things that were US government secrets since they didn't have a need-to-know. I take these agreements **very** seriously and never treat any company or government data lightly.

Data security rules are there to keep the data secure, not make your job easier.

Even my immediate boss inside the company didn't have clearance to know most of what I did. Annual evaluations were funny since he wasn't allowed in the building. I'd have to meet him at a different location to have a face to face conversation. "I hear they are happy with your work. Sorry this pay raise isn't as much as we'd like to give you. You're work is definitely worth 2-3x more." I say, "thanks. No problem." Then 2 weeks later, I accept a different position for 2x the salary. 3 years later, I accept another position for 2x the last salary. Now, I'm retired.

Re:Position Sensitivity

[tibman]

I'd say an Oath is a Moral "contract" and a Contract is a Legal "contract". God is not part of any oath i've ever taken. The US Constitution is the highest authority in the country.

It's nice to talk to a contractor that has had good experiences working inside the government. I'm being very honest, it's good to hear a gov employee say they take their job very seriously.

I have mostly dealt with KBR and NG which left a bad taste in my mouth. The worst cases being the $7,000 per month (rent) canvas tents my platoon lived in and a $100K generator that wouldn't run more than 10 hrs without someone babysitting it. The true reasons the Iraq war has cost us so much money.

Re:Position Sensitivity

You must be mistaken. Outsourcing everything (except the bleeding) to contractors saves us money.

Re:Position Sensitivity

[tibman]

I'll call you to come repair my HMMWV the next time it breaks down in the middle of a mortared hellhole fob.

We need soldier mechanics, soldier IT admins, soldier construction workers, and soldier doctors.

You can't elemenate those military jobs and make them civilian, even during peace time. Those soldier's need those jobs to practice and prepare for the day they are deployed. I do believe that civilian counterparts (as equals) in those positions for peace time continiuity and knowledge bases is an excellent idea.

I belive the real reason for all this conversion is because the Army has been downsized to the point of not being able to field as many trigger pullers. Not being able to expand to wartime tables they had to convert as many jobs as possible to maximize the personel capable of deploying combat positions.

I guess, that this is the openness of gov, that ..

[WindBourne]

pubs and dems speak of. Problem is that we have to go countries like Chana, Russia, China, Venezuela, Iran, and North Korea to get it. Hopefully, Obama realizes that Security MUST change. We need to worry more about other nations and the companies that we employ, and less about spying on our citizens.

good thing

[airdrummer]

i'm getting laid off next weds;-)

Re:good thing

Too bad you're not getting laid!

Re:Yea

[Culture20]

Couldn't you just replace the circuit board with an identical one? Tada, data.

This isn't a big surprise...

[monktus]

A friend of mine lived in Ghana for a while and got fed up with being constantly haranged by market traders so he told one of them that there was something he could do with - a monkey head. Sure enough, the trader offered him one for about $90. My friend baulked at the amount, saying he could buy a live monkey for far less and remove the head himself. He was of course then offered a whole monkey at a bargain price.

They should implement...

[hesaigo999ca]

They should implement a stronger punishment and reward scheme for this.Award a major amount of money for drives that are not wiped clean...this will lead you to the person who did the damage. So you pay to find out who, then that person in turn owes you back for the money you spent...so 1 or 2 cases like these will be enough to send a clear picture to the rest of them...its easy enough to use a data wiping software...turning all bits into zeros. Seriously...get educated if you handle getting rid of hardware that belonged to a company with sensitive materials!

V.I. Lenin said it best

[Torodung]

"The Capitalists will sell us the rope with which we will hang them." -V.I. Lenin

Let's prove him wrong, eh?

--
Toro

Re:Yea

Speaking as someone that works at seagate, doing test process and calibration:

If you replace the board with an 'identical' one, you will lose all the calibration information, this includes things like telling the drive how to keep the heads from crashing into the disk to where the data tracks actually are, things that differ from drive to drive.

Most likely pulling this switch will yeild nothing but a brick.

Re:Geez. No excuse. EABOD.

Trickier than you think. The problem is that a lot of the drive erasing software people are mentioning in this thread isn't NIAP approved, which means that the Common Criteria Testing Laboratory hasn't analyzed the product, run it a bunch of times, and verified by hand that it does what it says it does. You, I, and some subset of Slashdot's readers might be inclined to check out the source code for DBAN, read it, test it, and make sure that our porn stashes are irretreivable, but the US government and military don't. They rely on the NIAP list to 'prove' (for some meaning of the word) that a given product does what it's supposed to and meets their standards, and trying to use unapproved software in those particular areas of employment is difficult in the extreme. The US military does have access to a couple of drive purging apps but the trick is actually getting hold of them.

Other Benefits of Disassembly

[Millennium]

Sure, disassembling hard drives is time-intensive. But the real reward is that you can salvage a bunch of really powerful magnets for mad-science experiments.

Re:Other Benefits of Disassembly

[marquis111]

That's my strategy too. I find they are good for novelties, projects, and showing off to my friends. A couple times a year, I get a call from someone I know who needs a powerful small magnet for some projects. Good data security path, too: drive electronics broken and in one trash can? Check. Chassis in the aluminum recycling bin? Check. Platters hung in my cubicle for a cheap rear-view mirror OR platters lightly sanded on all surfaces with a grinder for that extra data-gone goodness? Check.

Watch the incredible Frontline/World report

It's a shame that the original Frontline/World video report wasn't linked to -- it's an incredible and horrifying expose on the worldwide problems of e-waste disposal.

Right in your garage (was:Erasure Device?)

[Lead+Butthead]

Does anyone know if there are any stand alone devices designed to erase the data on a hard drive? I am thinking something you plug in and it then goes about erasing all the data (I am thinking simpler and cheaper than a PC).

It's call a power drill. Just fit it with a metal cutting drill bit and you're ready.

The NSA should just buy all the drives on eBay!

[whoever57]

Instead of using illegal wiretaps, the NSA should just buy every drive that is sold on eBay. Just think of the information they could mine out of them!

Re:The NSA should just buy all the drives on eBay!

[TheLink]

Not all- just the ones they aren't reselling on ebay ( with custom rootkits and other fun stuff ;) ).

Re:The NSA should just buy all the drives on eBay!

[pengipengi]

That's true, they are only sold by zeroes.

Re:Yea

[Sir_Lewk]

Nonsense, placing platters into other drive enclosures to aid in data recovery is one of the oldest tricks in the book. It may not be perfect but it'll certainly work well enough.

Re: Hoff!

[TaoPhoenix]

The Hoff was right this time though. He TOLD us that the data is "Looking For Freedom."

Terrorism prevention is always going to be....

[i_want_you_to_throw_]

a defensive exercise. It doesn't matter what you do possibilities like this are always going to happen. There are always going to be lapses or loopholes and when they happen it's always going to be "OH-MY-GOD-I-CANT-BELIEVE-THIS-IS-POSSIBLE" and then there's some outrage and then either behavior continues or some other "OH-MY-GOD-I-CANT-BELIEVE-THIS-IS-POSSIBLE" thing happens.

It does bring up the point that you shouldn't count on contractors like Lockheed, Northrop, etc to keep us safe, they'll only do what's cheapest.

At the federal agency I work with we physically destroy the hard disks we excess.

Although I can see if some contractor just deleted data and then let the drives out that inevitably some news outlet would discover that Disk Doctor actually exists and then ....
yet again...
another..
"OH-MY-GOD-I-CANT-BELIEVE-THIS-IS-POSSIBLE"

ACTA...

[anonieuweling]

All that is (in fact...) coming from the government that wants to force ACTA onto the world.
http://www.eff.org/press/archiveso/2009/05/06

Yes, the military-industrial complex owns the government.

Actually, No

[__aatdha9242]

What the GP appears to be refering to is an ATA password. This does not encrypt any data on the disk, but it does lock the drive, and store a hash of the password on the disk itself. Replacing the circuit board will not fix this, as the new circuit board will detect the password, and keep the drive locked.

Re:Geez. No excuse. EABOD.

If you're working there you want EBAN not DBAN for records sake.

Though i'd think they would be using hd destroying machines.

Comment removed

[account_deleted]

Comment removed based on user account deletion

what makes u think that?

[airdrummer]

i'm not ur typical /.er living in my parents' basement;-)

Drive disposal

[Sasayaki]

The best way to dispose of a hard drive is to open it up to get the platters, blast them with a blowtorch until they become brittle, smash them to tiny bits/powder with a hammer then scatter the tiny bits into the ocean.

Re:Drive disposal

Nah, nuke the entire site from orbit, it's the only way to be sure.

Re:Yea

[metaforest]

In many cases, just swapping drive controllers works just fine for data recovery.. Haven't tried that with a password-locked drive. But it stands to reason if the hashed password is stored in flash rather than on the platters then swapping the controller would be a potentially viable attack.