Slashdot Mirror
New Toshiba Drives Wipe Data When Turned Off
CWmike writes "Toshiba on Tuesday introduced a new hard drive feature that can wipe out data after the storage devices are powered down. The Wipe feature in Toshiba's SED (Self-Encrypting Drives) will allow for deletion of secure data prior to disposing or re-purposing hard drives, Toshiba said. The technology invalidates a hard-drive security key when a system's power supply is turned off. The new Wipe capability will go into future versions of the SED drives, for which no timeframe was given. Beyond use in PCs, Toshiba wants to put this feature on storage devices in copiers and printers."
I can see this used not just in copiers where temporary files need to be zapped for privacy reasons, but in a number of other places:
1: Photo kiosks. /tmp. If one thinks about it, this type of HDD is absolutely perfect for the /tmp filesystem in the classic sense of it being zeroed out on reboot.
2: Documents stored on public access computers.
3: Medical terminals used for X-ray viewing.
4: Cash register terminals for storing CC data.
5: CCTV DVRs. If a video time frame needs flagged for long term copying, it is.
6: Proxy/sendmail log servers where logs don't have to be kept for longer than it takes to check if there is an intrusion.
7: Temporary scratch space for a database server, say to pack and unpack normally encrypted BLOB/CLOB data.
8: A special hard disk just for
9: Temporary scratch space when unarchiving data and putting it on a secure partition or tape drive. For example, getting data from tape or another site, storing it temporarly to get a machine to restore locally.
10: A machine set up and automatically imaged for guests to browse the Web.
11: A machine set up and autoimaged in a student computer lab. This way, a power cycle ensures that private data is not recoverable from the previous student.
12: Drives set up for swap. This way, a power cycle removes all traces of a virtual machine's paging.
13: Community clouds, where a VM is cloned to the drive, used to give better capacity, then shut down and the drive cycled so the next user on that drive doesn't have access to the previous user's data.
14: A place to decode encryption keys temporarly pulled out of a HSM to be copied to another source.
15: Airport X-day machines so the private pictures of people stay private.
You invented random-access memory. Good job!
Sounds like a good idea, but I'm almost positive there will be instances where important data is going to be screwed with by mistake. I personally would rather not have my hard drive erasing my data without my express approval, but I'm not the average Joe.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
In other news today, a company under investigation by authorities claimed all the data was wiped from their servers following an unexpected power outage.
Remember RAM disks? Kind of an eighties thing I guess..
Never email donotemail@WeAreSpammers.com
According to the article, it uses this "Opal" storage spec. (didn't find it on wikipedia..)
Below from: http://www.trustedcomputinggroup.org/resources/storage_application_note_encrypting_drives_compliant_with_opal_ssc
Storage Application Note: Encrypting Drives Compliant with Opal SSC
This document provides examples of the communication between a host and a storage device implementing the TCG Storage Security Subsystem Class: Opal SSC and the TCG Storage Architecture Core Specification.
Examples are provided for the following scenarios:.
* Discovering whether a storage device supports Opal SSC
* Taking ownership of the storage device
* Activating the Locking SP
* Changing the Admin1 PIN in the Locking SP and adding users
* Configuring Locking Objects (LBA ranges) *
* Unlocking ranges
* Erasing a range
* Enabling the MBR shadow
* Un-shadowing the MBR
* Reverting the TPer
* Reverting the Locking SP
* Using the DataStore table
For further reading, here's what looks like the spec:
http://www.trustedcomputinggroup.org/files/static_page_files/9FE14508-1D09-3519-AD7D21A695E9B8EE/Opal_SSC_1.00_rev3.00-Final.pdf
Is it really? Perhaps I can get some education here. *nix systems come with a tool called shred, which overwrites a file multiple times with random data to provide secure deletion. We also have tools like dban, which will do basically the same thing to the whole drive. How securely do tools like these erase data?
That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
I've always thought SED stood for "Smoke Emitting Diode"
It's my favorite electronic component, but the only problem is that they only work once.
dban is great, but is slow. Wiping a 500gb drive takes several hours at least.
Shred and the like are only useful when you don't have a journaling filesystem. So that means anything but ext2 (including ext3) defeats it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
My bet is on the usual baked-in drive encryption, very badly described.
Lacking <sarcasm> tags,
This isn't "reimage on boot". This is encrypted storage whereby the key is volatile. There is not performance problem here.
/tmp, but there's really no point. Cleaning /tmp with software can be done pretty quickly - why buy expensive hardware?
and to reply to OP, this tech really doesn't have as many uses are you say. It is really only useful for sensitive data. You can use it for
AccountKiller
From the scant details in the article and summary, it appears that the drives are encrypted, and the "wipe" consists of getting rid of the encryption key.
Calling that a "wipe" is rather misleading in my opinion. Toshiba's in for one hell of a liability issue if their encryption is ever cracked -- though I'm sure they'll take care of all that in the fine print.
Well, the local copy, anyway...
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Can you elaborate on how shred is defeated by any file system besides ext2? For example, does it not function properly on other file systems?
That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
This has been covered to death here on slashdot, but basically one pass of /dev/random will pretty much take care of wiping a drive. Drive recovery companies will tell you that the hypothetical bit-by-bit recovery is possible, but is so ungodly costly that it's not worth doing unless there's something REALLY important on the drive (like pictures of your mom). If you're really paranoid, don't waste your time with shred, just dd if=/dev/urandom of=/dev/hda twice and call it a day. Shred takes F O R E V E R and really provides nothing more than a nifty status bar. If you're SUPER paranoid, dd the drive twice and yank the platters, play frisbee, build a tesla turbine or simply scratch the hell out of them and chuck them in the recycle bin.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
>Wiping a 500gb drive takes several hours at least.
Not really. The problem is that everyone picks some zany wiping scheme. Those Gutmann patterns don't even make sense with any modern drive. All you really need to do is zero the drive once. It doesn't take that long. I have yet to see a recovery from a drive that's been zero'd out. Anything past one pass of zeros is just extra credit.
All the articles are pretty poorly written, and the Computer World article misquotes the Toshiba press release
Computer World
Drives with the technology will go into hard drives for laptops and desktops.
Toshiba
But lost or stolen notebooks are not the only security risk that IT departments must address. Today, most office copier and printing systems utilize HDD capacity and performance to deliver a highly productive document imaging environment. Many organizations are now realizing the critical importance of maintaining the security of document image data stored within copier and printer systems.
Toshiba is selling these drives as a method for securing scanning copiers. Many of the current copiers hold onto everything that is copied or scanned indefinitely leaving a gaping security hole. The new SED drives encrypt their contents and then wipe the key when the drive powers down leaving the data intact, but no meaningful method for recovering it. If a thief tries to yank a SED drive out of a copier, it automagically wipes it. If part of your security procedure is to shut down the copiers each night, your daily load of potentially secure documents and copies of Bob's butt are also automagically wiped.
Clearly, this type of technology would be worthless in a notebook or any other type of PC. You'd always be running from outlet to outlet to save your data. It'd be an IT version of that terrible Jason Statham movie Crank 2: High Voltage. Shudder.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
Shred also works on drives. I shredded a Deskstar with a 25-pass wipe, which took over 16 hours. (And in a stroke of good timing, it started making the Deskstar "click of death" sounds less than 10 minutes after it finished.)
But about file system journals. It's a bit much to say "any file system" besides ext2 defeats shred. The concern is this: If file data is committed to the journal first, rather than the filesystem proper, the only way shredding is secure is to shred a file that's larger than the journal. Otherwise, multiple overwrites of file data are actually going to the journal, where they'll be analyzed, all but the last overwrite will be canceled, and the file data in the filesystem ends up with only a single overwrite.
Part of the purpose of shredding a file, is to overwrite the residual magnetic flux between tracks on a platter. Multiple overwrites on the platter will do this; shred used to do 25 overwrites by default, which was good enough for DoD secure erasure requirements. However, a FS journal would defeat this on a file that was less than 1/25 the size of the journal.
Ext3/4 can do this, but not by default; the default is "ordered" mode, where file data goes directly to the FS, and then its metadata goes to the journal. A mount option can change this temporarily, and "tune2fs" can change the mode persistently.
XFS and JFS journal only metadata, so shredding a file on those FS's is safe. You can verify this with an external journal on a different drive, then watch where the activity is during a shred. It isn't in the journal.
OTOH, log-structured file systems like Btrfs may or may not erase the data in place; if the data is part of a snapshot, then later overwrites don't remove the snapshot.
Yes, this is a lot to think about.
That's why the really paranoid can always pull out the platter and inflict whatever thermite hell they want on it.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
Most of modern filesystems don't put the new data into the old place. This is most prominent on JFFS (which is mostly the entire reason for it), then, in a decreasing order: btrfs, reiserfs, jfs, ext[34]. And on old filesystems on flash, you'll often have an underlying layer that does wear-levelling. Also, if there's any copy-on-write, tail packing, snapshots, etc, involved, shred will most likely be defeated as well.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
This is a good step forward for general security.
How could you trust this 100%? Without the firmware (and some way to verify it), this likely could / does contain backdoors.
For the children, you see.
I don't see a major improvement over well set up truecrypt partitions.
..don't panic
[Put] /tmp/ on tmpfs [and] enlarge the default swap size by what is expected for /tmp/, to make sure max virtual memory capacity doesn't suffer.
Once you start using tmpfs, sensitive information will accumulate in the swap file. This makes pseudo-volatile drives like these even more suited for item 12 (swap).
But somehow I don't think that the global market for tmp/swap drives is the Next Big Thing.
Lacking <sarcasm> tags,
"Maybe you are holding it wrong"
"Have you tried turning it off and on again?"
No, in fact they posess all manner of equipment to keep machines powered up in transit, and devices that simulate mouse / keyboard activity to prevent locking screensavers coming on. Sorry I don't have a link handy for you.
Are you defending against someone with a magnetic force microsocope?
Yes, see Overwriting Hard Drive Data: The Great Wiping Controversy. Even with a magnetic force microscope, one pass is plenty. You can correctly identify a bit overwritten once with a probability of 0.56, up from 0.50 when randomly guessing. That's a 1% chance of correctly identifying any given byte.