Slashdot Mirror
Ask Slashdot: Data Remanence Solutions?
MightyMartian writes "The company I work for has just had their government contract renewed, which is good news, giving me several more years of near-guaranteed employment! However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.' Now keep in mind that we are the same organization that has been delivering this contract all along, so the equipment isn't going anywhere. What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high. I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed. I'd like to write up a report to submit to our government contract managers, and would be interested if any Slashdotters have experience with this, or have any references or citations to academic or industry papers on dealing with data remanence without destroying physical media?"
There is software out there (like D-BAN) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?
We all know what to do, but we don't know how to get re-elected once we have done it
...burn it to an optical disc, then shred the disc! :)
DBAN, Darik's Boot and Nuke, will wipe a hard drive to any of several government standards. If they are fine with mere software disposal of data, then DBAN is the way to go. http://www.dban.org/.
If they insist on physical destruction, I'm sure there are companies in your area that will handle that for you.
I don't know if it would be a government approved method, but it damn well should be.
Just google search how to run a zero-fill of a hard drive with Linux. The command is something like dd if=/dev/zero of=/dev/sda bs=1M . It will overwrite every bit of the drive with zeroes. It doesn't destroy the hardware, but the data is absolutely, irreversably gone.
Overwrite the drive several times using a wipe tool. How would encrypting it be preferable?
... is that your idea is logical, rational, and sensible, and therefore will not be considered an acceptable solution.
I recommend inventing some bloated bureaucratic process that involves miles of red tape, and doesn't actually address the issue at hand.
Hell, they might give you a fucking medal for that.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Assuming it a Federal gov contract, there are different standards depending on the Department. Also depends on the classification of the drive. I would go with the standards of the Department you are contracted to.
If you just need to destroy the data then why not write random garbage to the entirety of each drive several times?
That's more certain for not being able to recover the data than using some encryption, which still has some structure and so with the application of sufficient time and resources might be recoverable.
There must be some sort of government/military specification for data disposal along the "write random garbage" lines which would satisfy your clients.
Why encrypt the data and destroy the key? Why not just destroy the original data? A 9 pass random overwrite should be more than sufficient.
why don't you just set them to random bits, if that is the goal.
don't go writing that report, you'd sound silly. unless your superiors are really, really dumb.
world was created 5 seconds before this post as it is.
It used to be that there were several ways to recover data from a wiped drive even after wiping the data and writing over it, but from what I understand that due to the size of a bit on a modern hard drive that it is impossible to read something that has been overwritten.
Don't know something? Look it up. Still don't know? Then ask.
http://www.dban.org/
Dariks Boot and Nuke.
Set it to multi-pass with random data to wipe. One pass will be fine to destroy the data. Set higher to impress the management if you have the time.
Attach multiple pATA and sATA drives spread on as many buses as possible. It will run in parallel in those cases and thus finish quicker.
They support military and DOD level wiping (Many passes, many methods of generating patterns and randomness to interleave)
If you believe the data shouldn't be destroyed, have your contracting office send the government contracting officer letter requesting the requirement be deffered until the end of the new contract.
Just destroy the drives AS REQUIRED BY THE CONTRACT. It's not that big a deal.
There are a number of frameworks, best practices, regulations, and (in your case) contracts that mention hard drive destruction. 99% of the time to comply with those requirements you have to actually shred the drive, and have a certificate of destruction for each drive (sometimes signed/notarized by both a company representative who witnessed the destruction and the company doing the destruction). Recent reports have shown that digital destruction (DBAN as mentioned above) with only a few passes is sufficient for real security, but that doesn't matter. I know of several organizations that DBAN server drives, degauss them, drill holes in them themselves, then have them picked up to be shredded. The extra safety/security that whole process gives is minimal, and they do it not to be more secure, but because they have to meet random government policies or contracts that require all those steps be taken.
See here:
http://en.wikipedia.org/wiki/Data_remanence#Feasibility_of_recovering_overwritten_data
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
Zero-fill (full disk, including bad sectors) is good enough unless there's some top-secret spy tech that you need to protect against (SQUID transducers is one thing I heard?)
"When information is power, privacy is freedom" - Jah-Wren Ryel
The contract states that it must be physically destroyed. Depending on what kind of business you are in, the government will only accept physical destruction of a drive if classified data was ever on it.
You will need to adhere to the contract and destroy and replace drives or the Government will rake your company over the coals during an audit. They will also then demand monies paid back, tack on a huge fine, and possibly criminal charges on anyone that failed to properly dispose of and destroy the data per the contract.
Your old contract requires the destruction of the equipment. Your new contract failed to price in its replacement. Why is this the agency's problem? If I were the client, I'm not going to go out of my way to evaluate your data destruction ideas and instead would simply request you perform the contract as agreed.
Make sure your negotiators don't foul this up for future contracts.
Whats with the draconian data policies cropping up everywhere now? Even the company I work for is requiring HD destruction as opposed to just a decent low level formatting. Is there at least a good reason in this case?
What are the requirements for that?
Seriously? You want to save the $100 - $200 for a new hard drive (Plus $50 Labor to ghost the drive). That's nothing when dealing with DOD contracts.
Why are you destroying the disks? Do you not need any of that data?
Why not request an addendum to the contract that postpones the destruction until a time when the contract is not renewed, or the disks fail (whichever comes first)?
As suggested by others, DBAN is good, or my preferred method is:
write garbage
dd if=/dev/urandom of=/dev/disk
then write zeros
dd if=/dev/zero of=/dev/disk
"Lame" - Galaxar
The problem isn't destroying the data. The problem is demonstrating that you've destroyed the data. If you hand over all the media that the data is on for shredding, and it gets cataloged and then shredded, any bean counter can look and say "see? here's the certificate that says it was destroyed." If you erase it and promise "I erased it! I swear! Honest!", there's not much to look at when they do their audit.
1) When it comes to classified data, physical destruction is typically required
2) When it's a "new contract" the only way around the requirement is to amend the contract. Much easier said than done.
Your company likely doesn't have the political pull to amend the contract and/or it will be more expensive to do so than to buy new drives.
But if you CAN change the contract, then just change it to allow DoD-wiping or similar.
I think there may be a political reason to require destroying the drives and buying new ones: It makes sure that both the incumbent company (you) and any other bidders are on "a level playing field" - that is, you won't be able to reduce your bid by the cost of the drives.
There is also a technical benefit: You are going to start with brand new drives, reducing the odds of drive failures mid-project.
I would recommend your company modify FUTURE contract negotiations to specifically allow for re-using media if the contract is extended or replaced with a contract that is doing substantially the same work AND substantially the same group of employees/subcontractors have physical access to the computers or servers.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Sure dban makes data unrecoverable, but the statement 'they must be sent to an appropriately recognized facility for destruction' doesn't seem very ambiguous to me.
1. DBAN / similar bootable cds
2. Linux Live Cd -- my fav also the most complex if you don't know unix command line I guess
3. Plug in as any non primary disk and run windows DOD based wipe software (google) on it. -- to speed things up consider getting a pci-e sata adapter so u can do many at once, the adapter is prolly cheaper than w/e they pay you.
I think the government standard is DOD, anything over is time consuming and overkill.
In your report you may want to include why DOD will work and why it's not recoverable, I'll leave that research to your already suspiciously lazy ass.
Encryption accomplishes the same thing, but you'd have to encrypt 3 times and show how the encryption is altering the disk's physical characteristics to make it unrecoverable.
Also I'm not sure where your coming from on disk space is expensive, it's at the cheapest it's ever been, and will only get cheaper till something replaces SSD and then that will be expensive and the rest of the hd's will get EVEN CHEAPER.
Depending on what you have on your harddrives the gov may accept DOD or it may only accept a physical shredder.
I'd challenge you on how are you going to show to the gov that you actually performed the DOD wipes?
Tbh, sounds like you don't know wtf your doing, I'd recommend bringing in a consultant to show you the light, this is very basic admin stuff and I don't have anything to do with the gov, just a lot of ppl's personal data in my position.
Don't try to find ways to cut costs or save money by skirting around your contractual obligations. You contract says to destroy the hard drives. You MUST destroy them. You WILL lose your contract if you do not.
If you have a Security department, take you concern to them or your Contracts Manager for this contract. They will tell you the same thing...especially if it's a classified program.
So you didn't read the contract and properly estimate costs before agreeing to said contract? Yup, definitely a government contractor.
Erasing the drive using standard tools like DBAN will NOT erase sectors that the firmware mapped out as bad over the life of the drive.
The government wants any classified information that was ever written to these sectors destroyed as well.
This is why the drives must *eventually* be destroyed rather than land-filled or surplussed.
You can still make a good case that re-using the drive on what amounts to a continuation of the old contract will save money and harm nobody. But as I said before, it's not worth fighting the bureaucracy on this one. Drives were cheap before the flooding in the Far East, and they will be cheap again soon enough.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You have two choices to clear data from government disks. The easiest is degaussing the drive and then destroying it using approved devices. The second is wiping it a certain number of times using approved software. The government has at least one government owned zero cost software package that is approved for the wipe process. A google search for "DoD 5220.22-M Disk Erasure Standards" will get your research started.
Replacing the drives might not be a bad idea.
If the drives are a couple of years old, you might be better off destroying the drives and buying new ones. The cost of certified drive destruction is pretty cheap, new drives can be had for not much ($60 to 200 depending on whether desktop or workstation).
The lifespan of drives isn't infinite so this would be a good opportunity to replace the 3 or 4 or 5 year old drives with new ones. The incremental labor of removing the drive, putting it in the send out for secure destroy box and replacing it with a brand new one will not be much more than spending an hour or two wiping the drive. Either way you have to re-image the device.
And the time savings of not having an old production drive go will be huge.
I think that what you want is The Ephemerizer, by Radia Perlman (she of OSPF fame). I heard about this a few years ago at the LISA conference, and a bit of digging turned it up. From the abstract:
Google turns up this copy in PDF.
Hope that helps!
Carousel is a lie!
> I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed
How do you destroy the key? You encrypt it and destroy the second key that you used to encrypt the first one? That's convenient, now you just have to repeat the process in a recursive manner and it should be completed in NaN years.
lucm, indeed.
The business solution is the have the original contract revised to not force you to destroy something you want to keep. You get the next contract, get them to keep the parts to save time, money, efforts, energy. If it works then your employer will see you as a multi-faceted resource with solutions from more than one discipline. If nobody agrees then stop working for someone who makes stupid decisions.
That's how I operate and I've never been fired, been promoted 4-5 times though.
If it's the same project, you can the the project office to waive the requirement in the prior contract.
I came here expecting an eye-opening discussion regarding some some emerging theory of systems administration regarding "data romance".
Son, I am disappointed.
Colin Dean Go a year without DRM
I would shy away from the encryption method. The drives will be very hard to decrypt but not impossible so it's possible for someone to break the key and get the information off. Even if you use a one time pad there is still a chance of someone breaking it.
The best way to handle this is to magnetically scramble the drive using high powered magnetic fields and then continuously low level format them at least 10 times. This will render the information completely erased. At that point there is as close to a 0% chance of data retrieval as possible.
As to secure destruction, encryption is quite fine, if it is modern encryption done right. (I have seen some commercial things that were just stupid....) Overwriting, as some here suggested unfortunately does not do the job, because of defect management. For sectors still in use, it is likely just as secure as encryption, but it does exactly noting for reallocated blocks. (Even more so for SSDs and flash-drives).
For Windows, TrueCrypt is a good solution. For Linux LUKS with defaults or AES in XTS mode.
But the problem is the contract. If it stipulates physical destruction, then you have to do that. There will likely be no legal way out of that.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
There are a number of good posts on here, and a lot of people saying "use DBAN".
99.99% of the problem space here is the process that proves the drive was wiped and the processes supporting that, 0.01% is doing the wiping.
send to me. i'll throw 'em in the burn-barrel out in the yard.
Encryption won't destroy the data. You are assuming that it is impossible to decrypt the data. As computers get faster and faster you will have a hard time trying to prove someone it can't be decrypted.
Do it the "right" way. Use the Secure Erase command added to the ATA and SCSI interface specs. http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml. Funded by the NSA until recently.
What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high.
It should have been part of the contract negotiations that the cost of the HDDs is paid for by the government. If it wasn't your company should still have padded their fee to include this cost. If it wasn't, someone should be fired. You can then destroy the drives as required by the contract and use the salary savings to pay for new drives.
I have contracted with many government agencies over 16 years. This issue is a lot larger than your one customer. When the government mandates that drives containing sensitive material be destroyed, they mean it, and will not back down, no matter how logical your alternative. The security gurus, if you can call them that, take the approach, better safe than sorry. Rather than doing an expensive study to determine if data truly is gone when you write it over dozens of times with random data, it's just easier to mandate to smash the hard drive with a 10 pound sledge dozens of times. That said, if the hard drives aren't changing hands, it seems silly to me that they'd mandate you destroy all of the old drives and start the same project over again with all new ones...unless I'm missing something. As long as the drives stay at the same classification from the same agency, usually they don't have to go anywhere. However, if the data from the old project must go away, and the new project is unrelated, I might see why they want the old data destroyed. In my experience, though, if equipment never leaves the room, and the room never changes classification, it usually stays. Remember, it's a "better safe than sorry" situation with the government. They won't listen to an alternative, because it's a government-wide security mandate, and they never deviate from those. Given a choice between listening to your security officer and listening to your intellect, listen to your security officer every time. You'll keep your job and your security clearance.
That's great IF your motherboard actually supports the command. A surprising number of SATA controllers will refuse to transmit the command (something about NSA involvement there too)...
The only person that can resolve this for you is the government contracting officer. They will have to review the requirements and decide what is an acceptable solution. You can offer up solutions, including keeping the drives in place since the equipment is staying there anyway, but they must make the call.
There hands may be tied by regulations that require physical destruction; in which case you have no choice. They may be able to approve keeping the drives. In the end, they will do whatever keeps them out of trouble; which often is to simply enforce the existing contract requirements. In that case, find a place that meets the destruction requirements. They may want to avoid that but if gov't contracting requirements require it they will do it.
It may sound ridiculous, but whatever you spend on new drives is a lot cheaper in the long run than making life difficult for the contracting officer.
I'm a consultant - I convert gibberish into cash-flow.
giving me several more years of near-guaranteed employment!
Correct me if I'm wrong, government contracting experts, but a little known factoid is that the government can just terminate any contract it wants to at any time, if it can be shown it's in the best interests of the government. Contractors, OTOH, may not.
So people have already said use DBAN. So I'll point out Symantec Ghost also wipes drives drives using the GDisk utility. Both Ghost and DBAN can wipe a drive with a DoD standard 5220.22-M wipe. Surely if it's good enough for national defense...
L8r
"How much truth can advertising buy?" - iNsuRge - AK47
At my Agency we use DBAN if we are going to re-use the drive. Otherwise if the drive is failed and has data on it or if it is just no longer serviceable (ye olde SCSI anyone) it goes into a burn box and IT Security takes it to a secure incineration facility. Encrypting the data and then losing the keys does not destroy the data. It just makes it unavailable to you at this moment. Next year that impossible to crack encryption might not be so far out of reach. If the contract is written that the drives get destroyed then replacing them is the cost of doing business. It is admirable to try and save money but I would rather be sure... This is the classic case of "don't leave them for dead, leave them dead".
If you've got stiff data remanence requirements in your existing contract, it sounds like you'll need to ask for a contract modification. Not knowing exactly what sort of data you're working with, I'll just say it sounds like the customer really wanted to make sure their data didn't end up on eBay by accident.
The time to have provided for an non-destructive alternative would have been when the original contract was being negotiated. That said, ask your PM to ask the customer contracts officer about it. Keep in mind that no matter how good your electronic data wiping method, nothing beats sending the platters to the hammer mill. Your new contract probably budgets for new discs, so unless you and the customer are going to realize significant savings from reuse, I wouldn't go to the mattresses over it.
Luke, help me take this mask off
Normally, I have little respect for what government does because of how it gives people the wrong incentives, but in this case the government contact has been written by experienced people. This is a perfect example of a relative neophyte believing he knows better than old hands simply because he's relatively ignorant (I didn't say stupid). Hey, we've all been there.
Others have likely said this, but obviously anyone with any experience thinking about security knows what is hard to decrypt today may be child's play tomorrow (or child's play for certain foreign government institutions). Do what the people who know what they are talking about told you to do in the contract -- have the disks physically destroyed just as the contract stipulates.
If the contract with the government requieres to destroy the data storage device containing sensitve data, it is a known fact before the contract is signed. In this case you need a different concept for your daily work with this data and how to perform backups: - Don't store in on a SAN - Take into account, that you need to destroy your backup, too. - Recalculate your contract "cost" if you need to replace hardware at the end of the contract. - Place this "cost of contract" as a new position in your offer, because your customer has to pay compensation - if it is part of the contract, of course. - Btw. if a harddrive is defect, it has to be destroyed completly by an authorized/certified organization. Don't just throw it away. Encryption is no option if you work with government/Navy/...
Where I work (non-govermental) they are required by law to ensure data is not recoverable from surplus or decomissioned systems, even desktops and notebooks. 'Ensure' means to guarantee upon legal and regulatory penalties up to and including forfeiture of profits and punitive damages in excess of the company's net worth and revenue. In other words, the penalty is bankruptcy and dissolution.
We wish to avoid that.
There is, sadly, only one absolutely guaranteed method of preventing data recovery, and that is drive destruction. Not just drilling a hole in the platters, not just crushing them flat, but shredding them in a machine designed for that purpose, which is what happens.
Ddespite all the assurances, there are no software or hardware vendors that will also guarantee, to the extent of their demise, that their software will absolutely destroy data and still allow the drive to be reused. None. their marketing claims fail when you put them on the spot to not only guarantee, but prove, that data is not recoverable. Not when you specify the penalty for failure.
In this scenario, we shred the drives. Which renders most machines into scrap as well, selling them for a pittance as spares and inert parts. Kinda sad, I would buy my current notebook when it gets decommed, but that's just not practical since the drive will cost more than the unit is really worth.
I'm guessing one reason you're tasked with finding a solution is that this new requirement escaped attention, and the extra cost is enough to justify finding a way around it. If so, and if there are not such penalties that would make that unwise, I would recommend:
- Wipe with the best stuff available.
- Format and install an OS, probably from an image.
- Fill the drive with 'random' data. Fill to 0% free. Use smaller and smaller files to do this.
- Wipe again.
- Format and install again.
- Use a different wiper and repeat steps 1-5 Above. Twice.
- Use an different OS and repeat 1-6 above. Twice. Different data to fill the drive.
- Wipe with a third different wiper and third different OS (probably a server OS this time) and do 1-5 again. Twice. Different data to fill the drive this time also.
- Send a sample drive out to to one of the recovery specialists and pay them anything to get anything off the original data. You did put on some predictable data, right? Give them a copy - this is what they are looking for. Don't put any of this data in your OS and fill stuff, ok? If they find ANYTHING, including OS files, this is a failure. Directory entries with timestamps before your wiping count as a find.
If that seems inane, well, it's more work than a drive is worth, even with automation. You get it now don't you? Just buy the drives and let your boss whimper a little over the dollars. It's not worth the trouble.
And, yes, this is overkill. If his exposure is less than the loss of the company, then he can eliminate some of these steps. No problem. It just won't happen where I work.
deleting the extra space after periods so i can stay relevant, yeah.
Since you just don't want to physically destroy the hd, tools like DBAN that others proposed should do just fine.
I had thought something similar to your encryption scheme but for another case. It was for personal data within backups. If I am required to get rid of a parson's personal information after lets say, a year, what about my backup containing the user information, must I load it and remove the client information to comply with the legal requirement? I had the Idea to encrypt the client specific information with a key that would eventually be rotated and discarded so that the backup would still be valid but the client's "expired" confidential information wouldn't be retrievable. The only thing I'm uneasy with in this case is that eventually with all the evolution in computing, algorithms, computing power, grids, etc, the current encryption scheme could eventually become weak, rendering all my old backups quite dangerous.
I took a customers money and now I don't want to provide the service because it will cost me too much and it will eat into my profits ?
Tough.
As others have said, if this is contractual issue you'll need to renegotiate the contract - and (presumably) give some money back (like that will fly with the executives since the revenue has already been reported)... It makes no difference whether there are acceptable solutions that do not involve physically destroying the disk.
That's what the contract stipulated. Like it or lump it, that's what you signed up for when taking the money.
Why should I as tax payer allow you to make more profits for less service ?
Why not contact the NSA for guidance since that's their specialty.
Drive destruction requirements should have been forseen and incorporated into the budget.
So what if it's "expensive"? It's a cost of doing business, like toilet paper. The fetish for saving hard disks is silly.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Slashdotters rightfully complain about poor government security, but for some reason snivel about destroying hard disks.
Hard disks aren't "expensive" nowadays. Classified data loss OTOH can be VERY expensive.
Shred the fucking drives.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Hi You don't specify which government, but let's assume it's one with an comprehensive information assurance policy. First things first. Find out who the technical authority for information assurance is in your country. Then find out what the official policy on erasing and destroying information assets are. This information may not be published, and you may need to be registered with the technical authority to access it. Then cross reference against the terms of the contract. Then do. To help you a little, most best practice policies describe a range of methods. The selection of which method depends on * the device used to hold the data - HDD, flash memory (multiple technologies), DRAM, etc * the classification / protective marking of the data (SECRET, TOP SECRET etc) * whether the device is being re-used (for new data) within the same secure facility where it was held originally, or is it being removed from that facility (for destruction) Removal methods vary from using certified data erasure products, to complete physical destruction via a specified and approved method. In any case, there will be a detailed procedure to follow, possibly also independent witnessing and certification of the destruction. In any case, there will be an explicit process to follow, as well as copious paperwork. Note the use of the phrase 'certified...products'. While tools such as DBAN may be effective, they are not approved and certified by your national technical authority for information assurance. Using a non-certified product is equivalent to using nothing, and there may be penalties if you claim to have followed the set process, but used such non approved tools. Your organisation should have an information security officer (or similar executive) who is responsible for this. Normally it is a pre-requisite to have such a professional as a pre-requisite to handling classified / protectively marked material in most countries. What you've discovered should really have been caught pre-contract signing, by your legal and/or commercial people. You need to talk to your bosses about this. Oversights such as this can destroy a business, both in terms of money and reputation. HTH g
1) Buy random old clunker drives off some 2nd hand surplus computer shop for pennies on the dollar.
2) Send the old clunkers to the shredder outfit.
3) Keep your originals.
4) ???
5) Profit!
Do you really think the destruction facility is going to examine the contents of the disks before shredding them? If so, record some random bitstream onto the disks and swear the contents are encrypted and you no longer have the keys.
When it comes to something as serious as national security, "Certificates of destruction" should include the drive's serial number and identifying information and they should be written up as an affidavit or be written up "under penalty of perjury" or similar language.
The guy filling them out had better double-check to make sure the serial number on the drive he's about to throw into the shredder matches the serial number on the certificate of destruction before he signs it or he risks prison time.
Now, as for the company sending bogus drives to the shredding facility: The serial numbers on the certificates better match the ones that were originally purchased. Oh, and yes, those serial numbers should have been recorded before the drive was used to store classified data.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
My company wipes and destroys hard drives. We do it because everyone demands it. And we charge something for it. And yes, there is some degree of risk about hard drive data being recovered. Just not in proportion to the hysteria. I had a public school official loudly insist that we put her school computers at highest priority of data destruction because, she explained, some of the children who used some of the computers were mentally challenged, and she could not take the risk that someone might find the work they did on the computers and make fun of them. Here I am, 6 years later, making fun of HER.
While nothing is zero risk, it's pretty unlikely someone is going to get your data THAT way. The cases of identity theft are mostly A) stolen data IN USE (lost laptop, phishing, corporate espionage), or B) waiters and waitresses addicted to drugs (taking credit card info), or C) companies like mine who want to scare clients... and all of those are distant second to someone pilfering your mailbox. No anonymous person is rebooting anonymous Pentium 2s looking for your letter to your divorce lawyer.
Again, I'm not being reckless, and wouldn't want people to think we don't do what we promise. Just the hysteria over the risk of simple reformatting is similar, statistically, to a shark attack. Yes, you should wipe the drive, especially if you store passwords or credit card info, but I don't imagine many thieves running reverse-wiping software unless they already know the person and are looking for something specific... it's too easy to get the same information from a current PC via phishing or looking over someone's shoulder. Sometimes I suspect the whole hard drive scare was cooked up by Intuit, Microsoft, Adobe, etc. and its all about getting us to wipe off hundreds of dollars of software.
Gently reply
Hey i work in a company that does data destruction for corporate and government agencies. DBAN using the DOD 5220.22-m method is our general purpose for government level stuff. Its quick and easy. Stack up computers and run them in batches. We get audited on this frequently and have never failed.
Cheers,
Current cryptographic techniques could fall prey to developments in mathematics, quantum computing or cryptography.
To insure long-term security, the most reliable way would be to destroy the drive physically.
Your contract says the disks have to be shipped off. That's what you have to do.
In the future, I recommend reading your contracts carefully before signing them.
I currently work for a Government agency and I strongly advise against using logic to argue with them. Things are done the way they are written. It costs them more time and money to rewrite the rules than to buy new hard drives.
The method we use in this office to dispose of hard drives is the same for ALL drives regardless of content. They have had too many mistakes to do it any other way. Better safe than sorry.
Here is the procedure for hard drives we use:
1. Overwrite the data using the computer in which it is currently installed. (Something like DBAN that costs a bunch of money)
2. Physically degauss the hard drive. (A large elctro-magnet that they paid too much for)
3. Send the drives to NARA:
http://www.archives.gov/about/
At NARA they check and make sure that the drive is not readable. If it appears to be blank or broken they physically destroy the equipment. If they can get something out of it then they analyse the data before they destroy it. They might want to keep it.
P.S. There is no secret information at the facility in which I work.
With all due respect, if the contract specifies destroying the drives, the associated costs should have been factored into the estimate in the first place.
WALSTIB!
However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.'
I know government contracts are long, but why is it no one read the contract before now? If you signed it without reading it, then you should expect to be surprised later. I'd say that replacing some hard drives is pretty minor. You got off easy.
RFTC = read the f-ing contract!
-- QED
Buying a few motherboards that DO support this as 'data cleaners' would be much more of a reasonable cost than replacing every single hard drive, perhaps multiples of times.
---
Sounds like you've had the prior contract for a few years. Add in the next few years for the new contract. Sounds like six years or so. This might exceed the expected longevity of the hard drives in question. They might become ripe for a head crash or equivalent. In between contracts would probably be a less painful time to do the replacement to insure better uptime during the new contract. Perhaps getting more information on the MTBF for the drives might help decide this.
Also, the capacities of drives go up and their costs go down over time. You may need fewer, larger capacity drives to meet your requirements, so the cost might be less.
Like a good neighbor, fsck is there
I agree. You're trying to solve a commercial issue (and possible mistake) with a (poor) technical solution.
As you describe it, the original contract wanted the data destroyed at the end of the contract term. You've just had the contract *renewed*, which is another word for "extended". Why exactly would anyone want the data destroyed in mid-contract?
Your contact negotiators ought to have realised that the government didn't need you to destroy the data until the end of the new contract, and written that into the new contract, thereby over-riding the old one. More than saving you the money, it was one of your advantages as the incumbent contractor: compared with a competitor, you could perform the second contract term at lower cost simply because you could off-set the data destruction cost for which you were already contracted simply by writing into the new contract permission to defer that destruction! This would allow you to underbid any potential competitor - or if there is no likely competitor, writing deferral in would be a straight profit to you at no cost to the customer. That kind of win-win is *exactly* what your contract negotiators are paid to spot and capitalise on.
As poster above says, your contract office can still possibly rescue this by simply writing and asking for permission to not destroy the data until the end of the renewed contract term. All the same, missing this at contract negotiation time is something that should come up in somebody's annual performance assessment.
http://www.shredit.com/Shredding-Service/What-to-shred/Hard-drive-destruction.aspx
Have them come to you its documented. Done!
Go on to your next task.
If you are working for DoD or any armed service subsidiary, I'm pretty sure the policy is for you to have the drives destroyed before they leave your control, period. You can re-use them internally indefinitely, but at the end, they need to get physically destroyed. The various overwrite processes are usually considered "good enough" to reuse them at lower security levels until then, though.
It really depends on the terms of the contract. That's what controls. You can theorize and speculate and pontificate all you want, that contract is what they agreed to, and what the government agreed to pay for.
Now, the phrases "sent to an appropriately recognized facility" and "data remanence" make me suspect this is classified information, which would mean the contract is under NISP (National Industrial Security Program) jurisdiction. There are four possible CSAs (Cognizant Security Authorities) -- DoD, DoE, CIA, and NRC. I'm really only familiar with DoD, but I believe the rest follow suit on this. To wit:
Since Oct 2007, when ISL 2007-01 (Industrial Security Letter) was issued, overwrite methods are not acceptable for fixed disks. Degaussing or physical destruction are the only acceptable methods.
Degaussing has to be done using a deguasser which is on the NSA EPL (Evaluated Products List). This generally renders the hard disk inoperable. (Modern hard disks have their servo tracks encoded at the factory, and generally don't have field low-level format capability.)
Physical destruction has to cover the entire recording media. (e.g., "target practice" isn't acceptable.) They generally want the entire recording surface ground off, melted down, shredded to dust, and/or raised above the curie point. You can't just toss it in any old shredder.
You have to provide a certificate of destruction, saying you've done this. Failure to do so results in loss of Security Clearance, loss of contract, loss of future contract opportunities, fines, and/or jail. I wouldn't recommend it.
Now, submitter mentions they're going on to a new contract. If this is DoD, they should check the DD254 to see if it's the same classification derivation. If it is, they should be able to get approval to continue using the old systems. They should have a formal ATO (Approval To Operate) that identifies who to contact.
Now, if I'm way off base, and this isn't classified, then it's still up to what the contract says. There are various government standards that might be called out. NIST 800-88 is one; it allows for sanitization by overwrite, IIRC.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
The last I checked, the only government-approved software was UniShred.
That being said, after you check out the licensing costs, you may just want to get new drives.
You got to do what you were contracted to do. Shred the disks. Government security types will not accept compromise.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
If you're dealing with highly sensitive data, encrypting the drives after the fact and "losing" the key (as suggested in the original post) will not even come close to meeting the requirements for data destruction. What they're worried about is that a sufficiently determined forensic analysis with sophisticated equipment could recover magnetic traces of the previous (in this case unencrypted) data from the platters. Your suggested "solution" actually makes things worse, by adding the possibility that all copies of the key haven't been destroyed, thereby allowing the data to be easily decrypted.
Depending on how sensitive the data is, a multi-pass wipe of the entire drive with varying data patterns may be sufficient to satisfy the security requirements. But if the contract explicitly stipulates physical destruction of the media, then you must physically destroy the media... or risk jail time.
If the data isn't in fact sensitive, but the requirement for physical destruction of the equipment was written into the contract anyway, then someone screwed up.
In a Top Secret DOD environment, you use a "special" chipper that reduces the disks and every other part of them to 1 mm chips. This what was used when the B2 bomber was still "black".
Will it blend...?
No harm will be done..
Does someone on /. staff sit down and write one of these every few months on a slow news day?
Actually, any (S)ATA Security Command requires prior unlocking. As all drives are unlocked per default, malicious software may simply set a password on your harddisk to access it. If you're rebooting your box in such a situation, your BIOS prompts for the password, so effectively, your hard disk's data is held as a hostage by the malicious software.
To prevent similar issues, any likely current BIOS during the booting process sends a "security freeze" command to lock all (S)ATA drives until that drive is being reset. The obvious workaround: boot your software, remove power from the drive, re-attach power cables, set a "security password" on the drive ("secure erase" requires this) and then issue the "secure erase" command. There is also special hardware to do so (a simple hard disk interface with a single button, which results in sending "set password" and "secure erase").
If the contract says they must be destroyed at an approved facility, you'll either do that, violate the contract, or re-negotiate (no promise of success there).
Assuming the answer is re-negotiate, it's too late for the encryption then lose the key approach. You've already committed unencrypted data to the drives. You can't fix that now. Some sectors might have been marked bad and left stranded with data that must be erased, but you can't overwrite short of bypassing the controller on the drive (if even then, it depends on the sort of damage that got it marked bad).
I would guess your best bet is an addendum on the renewal that allows you to keep the old drives rather than destroy them and then load the same data back on their replacement. It may even be that the clause requiring destruction already accommodates that in the event of renewal, it may take a lawyer to determine that (for example, does the phrase upon termination kick in at the end of the contract period or does it effectively read "upon non-renewal" in this case).
If worse comes to worse, perhaps drive prices will be back to normal by spring. The actual factories weren't damaged (just the support infrastructure such as water and power) and some claim that panic buying (and perhaps a bit of gouging) rather than lost capacity is the root cause of the price increases. That could easily resolve by then.
So many w's in this post...
Sledgehammer and bonfire. you could schedule weekly stress releiving therapy sessions for employees.
$ unzip, strip, touch, finger, grep, mount, fsck, more, yes,fsck,fsck,fsck,umount, sleep
The problem isn't destroying the data. The problem is demonstrating that you've destroyed the data.
Whole idea is stupid. Once the disks are destroyed, none can corroborate that those were actual disks that were required to be destroyed. The government-trusted facility which performs the shredding would need to make a single complete copy of the disks prior to disks destruction, and then put them at government's disposal for verification ... at which point they still have the data that needs to die ...