Slashdot Mirror
Confidential Data Not Safe On Solid State Disks
An anonymous reader writes "I always thought that the SSD was a questionable place to store private data. These researchers at UCSD's Non-Volatile Systems Laboratory have torn apart SSDs and have found remnant data even after running several open source and commerical secure erase tools. They've also proposed some changes to SSDs that would make them more secure. Makes you think twice about storing data on SSDs — once you put it on, getting it off isn't so easy."
It's the only way to be sure.
Faster! Faster! Faster would be better!
1 electric drill, 1 work bench, and some bored interns.
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
... try reading anything from the ensuing dust.
If he's the Walrus then can I be a penguin please?
Encrypting it?
Is taking data off really an issue anyway. If it's confidential data, destroy the disk when you need to dispose of it. Not repurposing or re-selling hardware with sensitive information on it sounds like a no-brainer.
no reading anything after you smash it.
The solution is the same as hard drives in any secure system - use it, and when you are done, destroy it. Say you get 3 years out of an SSD, the cost of replacing it is trivial over the long haul. Nobody serious about security erases conventional platter HDs and hopes that's good enough.
It doesn't matter if you can get hold of ALL of the data, if it's encrypted you're fucked. Nothing to see here, move along.
Solution: Don't copy any data to an SSD unless you're copying it into an encrypted volume.
I thought we'd already agreed that the only way to be really sure that your data is gone is to physically destroy the drive. If you've got data that's really so sensitive that someone's going to spend serious resources to extract it, the actual price of a drive is nothing. Smash it and call it good.
I know OCZ has its own wipe utility and I believe intel too. Using wiping software designed for mechanical disks makes absolutely no sense and the results from this study are 100% predictable. Oh your Gutmann wipe pattern for circa1991 MFM drives doesn't wipe SSDs? You don't say! If you needed to securely wipe one, use the proper tool.
That said, it would be nice if there was some standard way of doing this.
It is a commonly known fact that the only way to ensure data is never retrieved from a physical disk whether spinning or SSD is to physically destroy the drive. All other methods short of that have flaws and some data can be retrieved.
excellent tool for neutering storage. build up a roaring fire with about 6 inches of coals, and then toss the hard disk into it. retrieve in morning, dump in trash. done.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Okay so it's not so secure, for secure data use secure highly encrypted mediums. If you encrypt the data on the SSD does it matter how much is left, if you end up with encrypted data how can anyone use it with no clue on how it was encrypted, for going good crackers and hackers. I'd assume there not pulling off full data, just fragmented data so that's even harder to put together.
Thermite will fix everything! [s/fix/destroy] :-)
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Didn't RTFA, but how dding zeros to the device?
dd if=/dev/zero of=/dev/sdb should work on everything...
I remember something about a prize for recovering data from a zeroed HD...
\m/
encrypt the data before writing. at no point in its existence will it appear anything but white noise to unauthorized parties.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I prefer a mixture of magnesium dust and gunpowder; but to each their own.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
I guess what concerns me the most about SSDs is data recovery. Is that any harder on SSDs than regular disks? Or is data recovery a moot point since there are no moving parts?
The diversity and expression of human opinion is essential to human survival.
You can't do a secure erase from software, because data may still exist in blocks that were remapped by the firmware due to errors or for write leveling. When you write to an SSD, the new data goes in a free block, and the old block is marked free. To do a real secure erase, you have to work with the SSD firmware, and even then, you can't be sure if data may still exist on bad blocks that can't be written to.
So the only way to be sure is to physically destroy it, and flash is reliable enough that it's difficult to be certain that you've truly destroyed it.
So as everyone else is saying, the only good solution is to encrypt everything, and don't store the keys in flash.
A couple whacks with a hammer still works great. Remove the circuit board from the case, give each chip a little love tap with a ball peen hammer. Problem solved without waiting hours for the thing to "secure erase".
Concerned about losing resale value? Security costs money, period. If you want real security, sometimes you have to take some financial responsibility and accept the loss of resale value in exchange for real security. Price of doing business.
If you use the proper erase methods (solid state or other) then it doesn't matter. If you need to destroy the data simply put it on a cookie sheet and put it in the over on broil for 30 minutes.
Wifey hates the smell of burning plastic in the oven. Don't ask me how I know this.
"Makes you think twice about storing data on SSDs — once you put it on, getting it off isn't so easy."
My 12 gauge begs to differ. Pull!
For once I've read the paper :-)
But I could not find a description of the technique utilized to recover the files.
They say that an "advanced hacker" will be able to recover the files, but I'd like to know how.
Utinam logica falsa tuam philosophiam totam suffodiant!
I don't know about any of you and I'd like to keep it that way...
Remember to maintain your supply of
I challenge anyone to find my MicroSD card. I've conducted extensive security audits to verify that no attacker, even one with inside information, can gain electronic or physical access to the disc.
Block storage devices have more capacity than they report. Magnetic disks keep a small reserve of unallocated blocks as a hedge against blocks that fail in use. SSDs keep a much larger reserve because they can only erase in increments that are relatively large compared to their block size.
If you overwrite a sector on a magnetic disk, you will almost always destroy all traces of the old data. The exception is when the drive thinks the old sector has failed or is about to fail, in which case you get an entirely new sector, and your old data is still (possibly) on the old sector. Attacks using magnetic force microscopes to read data from track fringes were possible a decade ago, but there is no reason to think it is possible on a modern drive.
If you overwrite a sector on a SSD, the SSD gives you a whole new block from a list of free blocks, and adds the address of the old block to the list of deleted blocks. Blocks are moved from the deleted list to the free list when the SSD has some free time, or when one is really needed. There is currently no mechanism to force the SSD to actually erase a sector.
This is all known, and there are mechanisms built into the specs to provide a secure erase. What their research is showing, however, is that these mechanisms don't always work. A number of them are buggy, and at least one just plain lies, claiming to have done the secure erase, but actually just doing the normal pointer update trick just like any other write.
See that "Preview" button?
Someone once told me that I should use RSA encryption because it was developed by the NSA. I thought to myself "why would the NSA produce and give away an encryption algorithm they can't break". I concluded that they wouldn't. So yeah, probably not secure.
You know, I've never understood this one. If you have written a zero to every sector on the hard drive, including the hidden space, how in the world is it possible to recover any data at all?
Because digital is just a convenient abstraction for our analog reality. Here's a gross simplification. A bit is just a magnetic blob on a large plane of magnetic media. When a read/write head returns to a particular spot it does not return to exactly that same position, close but not exact. As the platter spins and it lays down a track of these magnetic blobs it may write the new track a little bit to the side of the old track. This partly motivates wiping software writing data seven or more times, it wants to increase the likelihood of getting the old data.
Try this: Take two hilighters, one yellow and one a darker color. Draw a yellow line. Now draw on top of that line with the other color. See any pure yellow peeking through on the edges? That yellow is like the area where data recovery people will use highly specialized equipment to read "overwritten" data.
This sounds like a good thing to me. Better chances of getting data back from failed hardware. Or getting data from a device that a numbskull disgruntled employee thinks they've intentionally ruined.
If you actually WANT to destroy the data, others here have mentioned the proper methods. I like to rely on the .45 at high velocity, but open flames work well too.
No sig for you. YOU GET NO SIG!
The problem is that doesn't work due to wear leveling. The virtual area you're overwriting isn't necessarily the same physical area that holds the data you want gone. Even wiping the entire thing doesn't do it, thanks to spare blocks.
upon the advice of my lawyer, i have no sig at this time
You couldn't possibly seriously mean we should start reading the entrails? That is soo medieval.
"once you put it on, getting it off isn't so easy." - That's what she said?? ZINGGGGGGGGGGGGGGGGG!
Presumably this is because of the optimization techniques that SSD's use to achieve high performance and increase lifespans.One of these measures is having 64GB of flash on a 60GB SSD, leaving extra flash to act as for intesive operation and wear leveling. Since the disks werent designed for secure erasure, no method erases the extra space, and what conventional program do is just trigger the controller to sometime overwrite some of the extra flash space.
This isnt endemic to SSD technology, just the way the controllers are implemented. At some point controller will probably support this secure erase of all flash.
TL; DR : new tech doesnt have all the features, can recover atleast 1% of your data until better tech comes out
I find 165 gains going about 3000 fps is a very effective data destruction device. It is also a great way to relieve stress.
For a system drive you have to at least install the OS before being able to encrypt it with TrueCrypt or its fork DiskCryptor.
That's not a problem if you don't save any personal data to the drive after installing the OS and before a system encryption, but nevertheless this depends on how wide you define personal data. Is the choice of OS, any registry key, choice of software, isn't that personal information, too?
Because they use it too? Because they would rather no one have the info than everyone?
The NSA does both securing and attacking.
When did you think to yourself "Instead of worrying about the NSA decrypting my data, I should probably worry about not attracting the attention of the NSA"? I mean, if they're at the point of their investigation being stopped by your encrypted drive, are they likely to just say "Well shit, sorry about that!" and head out the door? Probably never because you're one of a billion idiots that thinks they can have and require perfect security. I bet you love making fun of the TSA too, not realizing you're making the same mistakes as them.
If I can just reach out with my words and touch a butthole, just one, it will all be worth it.
The great zero challenge was never accepted, so I'd say it's safe to say that spinning hard disk data can reliably erased. I've never seen it done, that's for sure.
http://hardware.slashdot.org/story/08/09/06/189248/The-Great-Zero-Challenge-Remains-Unaccepted
Well I finally did read TFP referred to by the abstract in TFA mentioned in TFS. And it sure looks like they just de-soldered the ICs and popped them into a dead-bug socked on their "Ming the Merciless" custom controller board.
I am not a crackpot.
Whether it's an hd, ssd or optical disc only a few people really care enough to secure their data and in the end if you want to make sure no one gets it the physically destroy the media when you're done. It's the safest way for all of them.
Do rare earth magnets work on SSD? Or does magnatise and destroy no longer work on today's tech?
They come in the dark, only in the darkest.
Someone once told me that I should use RSA encryption because it was developed by the NSA. I thought to myself "why would the NSA produce and give away an encryption algorithm they can't break". I concluded that they wouldn't. So yeah, probably not secure.
For the sake of argument lets assume the NSA can break it. So what? The government already has my SSN, bank account numbers and credit card numbers. I only need to stop the thieves, finder keepers, dumpster divers, computer recyclers, etc.
Give her a gift card for a spa or other "nice" thing to do for the day. She will (A) love you for it, (B) never need to know that you had a kiddie porn drive, or (C) that you baked said kiddie porn drive in the oven while downloading midget porn as a replacement.
"His name was James Damore."
Encrypting it? Is taking data off really an issue anyway. If it's confidential data, destroy the disk when you need to dispose of it. Not repurposing or re-selling hardware with sensitive information on it sounds like a no-brainer.
Also if its so hard to delete then maybe SSD drives are a good place for long term backup/storage of those encrypted volumes. Just wondering, not claiming it is so.
US intelligence agencies clandestinely gather information. You don't lean about their investigation until you are already in custody (if at all). Who's to say they don't just automatically decrypt any RSA encoded transmission they intercept just to see what information people are trying to keep secret? They are currently involved in known projects that automatically track all telephone and internet traffic into and out of the US. Who is to say what else they're involved in?
Trusting an intelligence agency, who makes knowing your secrets its business, to encrypt your files is counter-intuitive, to say the least.
I wonder what the value of "remnant data" could be when the data were, say, AES encrypted?
You are encrypting your confidential data, correct? Or should I say, unencrypted data are not "confidential" in the first place?
-fb Everything not expressly forbidden is now mandatory.
Would doing a 'dd if=/dev/zero of=/dev/sda' a few times not do it?
They later amended the platter removal terms with the following text, but still nobody accepted it.
AFAIK, they did not do whole disk wipe.
The website says "Individual file sanitization techniques, all of which failed and left at least 10MB of a 1000MB file." Does not say what happens when you do a full disk wipe. #Fail.
So do you always just believe what people tell you without checking facts?
If TFA is correct and you can't reliably erase data from the disk, how are you going to reliably erase the key?
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
What am I missing here? I have a drive/card/chip labeled 16 GB storage. I save 16 GB of data to it. I overwrite the entire volume with 1s.
Now I can read 16 GBs of 1s. And some l33t hacker can retrieve the 16 GB of secret sauce I thought was overwritten. So a drive labeled 16 GB really has 32 GB capacity, it's just that second 16 GB is hard to access?
And what if I then go back and overwrite those 1s with 0s or random bits? Is it possible to retrieve the layer of 1s and the original data? So a 16 GB disk can hold 48 GB? And that last 32 GB is just really, really hard to access?
Of course, I didn't RTFA. But I presume we're not just talking about delete/undelete of single files. If they didn't wipe the whole disk, why would this be on /.?
Why is Slashdot posting these inane articles?
Everybody who knows anything about SSDs knows that they have significantly more raw storage than logical capacity, and that the extra storage capacity is used for redundancy. Because of the wear levelling systems used, writes don't go back to the same place, so data can't be overwritten. This has been well known and obvious to everyone for years.
Pro Tip: Full Disk Encryption. Problem. Fucking. Solved.
Why are we even talking about this?
Just mount the flash drive and put a bullet in your computer's monitor. If it works for hard drives in the movies, then it should work for solid state as well.
As it has been pointed out, modern drives overlap various bits quite a bit and there really is no such residual magnetism. It is below the noise floor of the natural variations in a platter's magnetism.
Some of this research is even from the same guy (Guttmann) who published the technique 25 years ago, but states it is impossible with modern drives.
That in itself would be a bigger secret than anything that would be exposed by it.
Acting on any information obtained that way would expose the biggest secret in the history of secrecy, pretty much.
They aren't going to tip that hand just for you.
-fb Everything not expressly forbidden is now mandatory.
And even if you can read this residual magnetism, think of what you must do next:
First, a drive head isn't enough. You have to get the platter under an electron microscope or such incredibly specialized device owned by what, 10 labs in the whole world?
Next, you spend months (from what I heard of the speed you get out of those) copying the platter, generating several times more data than the official disk's capacity.
Once you're done with that you can get to decoding. But, there's a laboratory proof of concept, and there's the real thing. On a real drive, you won't get a laboratory setting of showing you can read sector #1 and then figure out what the previous value was. You'll have to find something interesting in millions of sectors.
On hard disks data doesn't get written in neat tidy ways. Files get fragmented all over the platter, and when deleted their sectors may get reused. So you'll have to find your interesting file by piecing it together. You'll have to make sense of the former filesystem metadata that says where it was, then read the now overwritten file. Both of which are probably not neatly overwritten once, but a different amounts of times on each sector, and you'll have to figure out which of those is the good one.
It sounds like way, way too much trouble.
What's an even bigger concern is that when an SSD fails, your whole disk is still available read-only. I've got one sitting around like that, and have been too lazy to physically destroy it (none of the data is sensitive). What I should have done is just turn it into super-fast installation media for a few versions of Windows, but I wasn't thinking at the time.
Of course, that failure model is a *feature* of SSDs. With a HDD, the drive just randomly fails someday, and you lose the ability to read, write, or securely erase data. If you have sensitive data, it shouldn't be stored on any media unless it's encrypted or physically/remotely secure and will be throughly destroyed when it dies. That's common sense. Blocks being difficult to securely erase due to wear leveling and such doesn't change that.
It's easy to get the data off
Much easier than spelling the inventor's name
Of course they can always get the data off. Everyone knows that. They do it all the time on CSI. Sheesh!
Proverbs 21:19
Once you put it on, getting off isn't so easy.
So what you do is you use that information to lead you to other evidence you can use. During WW2, they would send airplanes to verify submarine locations before destroying them so that the Germans wouldn't get wise to them. Presumably they've had 70 years or so to improve on that technique. I think it's safe to say they can figure it out.
Yes, that's what In tell security when walk around our server room with fire arms.
Or maybe shooting doesn't actually solve all your problems.
The Kruger Dunning explains most post on
You take the drives to the range, not go shooting in the server room.
No, that would be highly unlikely (that it is encrypted by default). You do need to set some security parameters when erasing, but as far as I know, that's not because of how secure erase works. The results in the article for secure erase would not be possible if there was a single key (because partial erase would not be possible). It also would not explain the 20 second wait during secure erase of my Intel SSD. Fortunately, flash blocks can be erased in one go, so secure erase is *much much much* faster on an SSD compared to a HDD.
That would be possible, since it would be the device itself that does the erasing. It could just issue a single erase command for the flash blocks containing the key and it would be done (I presume that the key is stored in at least two locations, or the failure of a single block of memory would be disastrous). It might even be stored in writeable memory within the controller.
1. Buy a steamroller.
2. Get government contract for SSD data destruction.
3. Profit!
And it's not the NSA.
RSA was not developed by the NSA, but by Rivest, Shamir and Adleman at MIT.
Dilbert RSS feed
Suggested Alternative Headline: "Confidential, Unencrypted Data Not Safe on Solid State Disk, Conventional Disk, or Anywhere Else Now That I Think About It"
but have you considered the following argument: shut up.
When did you think to yourself "Instead of worrying about the NSA[...]" [...] I bet you love making fun of the TSA too [...]
Okay, let's get all the future agencies out of the way; we've already got NSA and TSA. Feel free to participate.
ASA
BSA (damn scouts/Microsoft!)
CSA
DSA
ESA (Euroooooos iiiiin spaaaace!)
FSA (use it or lose it)
GSA
HSA (use this or lose it also)
ISA (old motherboards)
JSA
KSA (Kal-el space agency?)
LSA (heh, woodrose/glory)
MSA
[...]
OSA
PSA (walnut-sized; stimulate it by going backwards)
QSA
RSA (rot-26)
SSA (you won't get the payout)
[...]
USA (yeah right)
VSA
WSA
XSA
YSA
ZSA (slap a fucking policeman!)
I feel fantastic, and I'm still alive.
That in itself would be a bigger secret than anything that would be exposed by it. Acting on any information obtained that way would expose the biggest secret in the history of secrecy, pretty much. They aren't going to tip that hand just for you.
Exactly: similar to the reason we let that town be destroyed in England; alerting them would have let the Germans know we figured out the Enigma, and those lives were deemed to be less important than "the war effort". (Note to self: stay out of the way of war efforts.)
I feel fantastic, and I'm still alive.
I know OCZ has its own wipe utility and I believe intel too. Using wiping software designed for mechanical disks makes absolutely no sense and the results from this study are 100% predictable. Oh your Gutmann wipe pattern for circa1991 MFM drives doesn't wipe SSDs? You don't say! If you needed to securely wipe one, use the proper tool.
Even mechanical disks need this - if you get a sector re-mapped, you're not going to zero it out ever again.
Some SATA drives support a Secure Erase ATA command extension. I asked Seagate to send me a list of their drives that had this support in firmware, so I could write a tool to do this. They refused. Even as a "Seagate Partner".
So, in the general case, you can't trust your drives. LUKS is easy enough to set up on Linux that you can work around drive vendors you can't trust (but set swappiness to 0 on a netbook!).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I bet you love making fun of the TSA too, not realizing you're making the same mistakes as them.
No, I don't let anyone get a free pass. I scan everyone that comes into my house with an old x-ray machine I found once while dumpster diving behind some doctor's clinic. I figure that a little extra radiation won't hurt nobody and fuck 'em since they agreed to come into my house when I called them to fix my sink.
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
Encrypt it with quad rot-13. They will not be able to crack that!
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
Call the Marines.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
It eats some of the speed advantages but whole disk encryption works for me. It's still way faster than a magnetic disk.
No it is not.
dd was was fine in the year 2000.
It does not work today for the following reasons:
Harddrive do re-maps for bad blocks. These bad blocks are not touched by OS tools.
SSD does this even more aggressive and even by default keeps a pool (10%) of flash just to recover form material defects and might alos compress data (e.g. write all zero bytes and it will compress the data) to minimize the number of writes.
In theory the security erase tools send the disk a low level command that will really zero all data, but the investigators did show that this optional STA command was not implemented correctly in some cases.
dd if =/dev/urandom of=/dev/sdxxx will probably erase the data, BUT NOT ALL OF THE DATA ON A SSD, rewriting with zero's might be a non-productieve idea with advanced disk firmwares.
PS, I agree that overwriting the data multiple times that some old tools did is just a waste of time, on a SSD it will only cause more wear.
the old tried-and-true method of 'securing' your data still applies: woodchipper.
If it's stored in a completely different type of memory, the always-crypto delete-the-key approach might work, but if it's actually on the SSD itself, it falls apart. You said yourself that the key is likely stored in two locations in case one fails; in that case, wouldn't at least part of the key be recoverable on the fails portion of the disk since it may refuse to write to that block, since it considers it damaged?
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Is it possible to recover data after running the following a number of times?
$dd if=/dev/urandom of=/dev/hda
Is what the story title should've been. Confidentiality, not data, is the subject of "safe". Much like copyright doesn't "protect" creative works, rather it protects revenue streams and feelings of copyright holders and authors.
To truly delete or protect the info on the SSD, after copying all the pertinent data, remove the SSD from the slot, place it on a solid object (such as a brick) and administer a strong concussive blow with a nail-driving device (ie Hammer). The SSDs are cheap enough and if your data is as valuable as you think it is, there is no great loss (of the SSD). If you think this is a waste, then perhaps your data is really not that valuable after all......