Slashdot Mirror
Ask Slashdot: Data Remanence Solutions?
MightyMartian writes "The company I work for has just had their government contract renewed, which is good news, giving me several more years of near-guaranteed employment! However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.' Now keep in mind that we are the same organization that has been delivering this contract all along, so the equipment isn't going anywhere. What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high. I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed. I'd like to write up a report to submit to our government contract managers, and would be interested if any Slashdotters have experience with this, or have any references or citations to academic or industry papers on dealing with data remanence without destroying physical media?"
There is software out there (like D-BAN) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?
We all know what to do, but we don't know how to get re-elected once we have done it
...burn it to an optical disc, then shred the disc! :)
DBAN, Darik's Boot and Nuke, will wipe a hard drive to any of several government standards. If they are fine with mere software disposal of data, then DBAN is the way to go. http://www.dban.org/.
If they insist on physical destruction, I'm sure there are companies in your area that will handle that for you.
... is that your idea is logical, rational, and sensible, and therefore will not be considered an acceptable solution.
I recommend inventing some bloated bureaucratic process that involves miles of red tape, and doesn't actually address the issue at hand.
Hell, they might give you a fucking medal for that.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Assuming it a Federal gov contract, there are different standards depending on the Department. Also depends on the classification of the drive. I would go with the standards of the Department you are contracted to.
If you just need to destroy the data then why not write random garbage to the entirety of each drive several times?
That's more certain for not being able to recover the data than using some encryption, which still has some structure and so with the application of sufficient time and resources might be recoverable.
There must be some sort of government/military specification for data disposal along the "write random garbage" lines which would satisfy your clients.
why don't you just set them to random bits, if that is the goal.
don't go writing that report, you'd sound silly. unless your superiors are really, really dumb.
world was created 5 seconds before this post as it is.
It used to be that there were several ways to recover data from a wiped drive even after wiping the data and writing over it, but from what I understand that due to the size of a bit on a modern hard drive that it is impossible to read something that has been overwritten.
Don't know something? Look it up. Still don't know? Then ask.
If you believe the data shouldn't be destroyed, have your contracting office send the government contracting officer letter requesting the requirement be deffered until the end of the new contract.
See here:
http://en.wikipedia.org/wiki/Data_remanence#Feasibility_of_recovering_overwritten_data
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
Zero-fill (full disk, including bad sectors) is good enough unless there's some top-secret spy tech that you need to protect against (SQUID transducers is one thing I heard?)
"When information is power, privacy is freedom" - Jah-Wren Ryel
The contract states that it must be physically destroyed. Depending on what kind of business you are in, the government will only accept physical destruction of a drive if classified data was ever on it.
You will need to adhere to the contract and destroy and replace drives or the Government will rake your company over the coals during an audit. They will also then demand monies paid back, tack on a huge fine, and possibly criminal charges on anyone that failed to properly dispose of and destroy the data per the contract.
Your old contract requires the destruction of the equipment. Your new contract failed to price in its replacement. Why is this the agency's problem? If I were the client, I'm not going to go out of my way to evaluate your data destruction ideas and instead would simply request you perform the contract as agreed.
Make sure your negotiators don't foul this up for future contracts.
Whats with the draconian data policies cropping up everywhere now? Even the company I work for is requiring HD destruction as opposed to just a decent low level formatting. Is there at least a good reason in this case?
Why are you destroying the disks? Do you not need any of that data?
Why not request an addendum to the contract that postpones the destruction until a time when the contract is not renewed, or the disks fail (whichever comes first)?
As suggested by others, DBAN is good, or my preferred method is:
write garbage
dd if=/dev/urandom of=/dev/disk
then write zeros
dd if=/dev/zero of=/dev/disk
"Lame" - Galaxar
The problem isn't destroying the data. The problem is demonstrating that you've destroyed the data. If you hand over all the media that the data is on for shredding, and it gets cataloged and then shredded, any bean counter can look and say "see? here's the certificate that says it was destroyed." If you erase it and promise "I erased it! I swear! Honest!", there's not much to look at when they do their audit.
1) When it comes to classified data, physical destruction is typically required
2) When it's a "new contract" the only way around the requirement is to amend the contract. Much easier said than done.
Your company likely doesn't have the political pull to amend the contract and/or it will be more expensive to do so than to buy new drives.
But if you CAN change the contract, then just change it to allow DoD-wiping or similar.
I think there may be a political reason to require destroying the drives and buying new ones: It makes sure that both the incumbent company (you) and any other bidders are on "a level playing field" - that is, you won't be able to reduce your bid by the cost of the drives.
There is also a technical benefit: You are going to start with brand new drives, reducing the odds of drive failures mid-project.
I would recommend your company modify FUTURE contract negotiations to specifically allow for re-using media if the contract is extended or replaced with a contract that is doing substantially the same work AND substantially the same group of employees/subcontractors have physical access to the computers or servers.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. DBAN / similar bootable cds
2. Linux Live Cd -- my fav also the most complex if you don't know unix command line I guess
3. Plug in as any non primary disk and run windows DOD based wipe software (google) on it. -- to speed things up consider getting a pci-e sata adapter so u can do many at once, the adapter is prolly cheaper than w/e they pay you.
I think the government standard is DOD, anything over is time consuming and overkill.
In your report you may want to include why DOD will work and why it's not recoverable, I'll leave that research to your already suspiciously lazy ass.
Encryption accomplishes the same thing, but you'd have to encrypt 3 times and show how the encryption is altering the disk's physical characteristics to make it unrecoverable.
Also I'm not sure where your coming from on disk space is expensive, it's at the cheapest it's ever been, and will only get cheaper till something replaces SSD and then that will be expensive and the rest of the hd's will get EVEN CHEAPER.
Depending on what you have on your harddrives the gov may accept DOD or it may only accept a physical shredder.
I'd challenge you on how are you going to show to the gov that you actually performed the DOD wipes?
Tbh, sounds like you don't know wtf your doing, I'd recommend bringing in a consultant to show you the light, this is very basic admin stuff and I don't have anything to do with the gov, just a lot of ppl's personal data in my position.
Don't try to find ways to cut costs or save money by skirting around your contractual obligations. You contract says to destroy the hard drives. You MUST destroy them. You WILL lose your contract if you do not.
If you have a Security department, take you concern to them or your Contracts Manager for this contract. They will tell you the same thing...especially if it's a classified program.
Um, ghosting these drives then reporting them destroyed might just be punishable as treason.
Erasing the drive using standard tools like DBAN will NOT erase sectors that the firmware mapped out as bad over the life of the drive.
The government wants any classified information that was ever written to these sectors destroyed as well.
This is why the drives must *eventually* be destroyed rather than land-filled or surplussed.
You can still make a good case that re-using the drive on what amounts to a continuation of the old contract will save money and harm nobody. But as I said before, it's not worth fighting the bureaucracy on this one. Drives were cheap before the flooding in the Far East, and they will be cheap again soon enough.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Replacing the drives might not be a bad idea.
If the drives are a couple of years old, you might be better off destroying the drives and buying new ones. The cost of certified drive destruction is pretty cheap, new drives can be had for not much ($60 to 200 depending on whether desktop or workstation).
The lifespan of drives isn't infinite so this would be a good opportunity to replace the 3 or 4 or 5 year old drives with new ones. The incremental labor of removing the drive, putting it in the send out for secure destroy box and replacing it with a brand new one will not be much more than spending an hour or two wiping the drive. Either way you have to re-image the device.
And the time savings of not having an old production drive go will be huge.
I think that what you want is The Ephemerizer, by Radia Perlman (she of OSPF fame). I heard about this a few years ago at the LISA conference, and a bit of digging turned it up. From the abstract:
Google turns up this copy in PDF.
Hope that helps!
Carousel is a lie!
> I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed
How do you destroy the key? You encrypt it and destroy the second key that you used to encrypt the first one? That's convenient, now you just have to repeat the process in a recursive manner and it should be completed in NaN years.
lucm, indeed.
The business solution is the have the original contract revised to not force you to destroy something you want to keep. You get the next contract, get them to keep the parts to save time, money, efforts, energy. If it works then your employer will see you as a multi-faceted resource with solutions from more than one discipline. If nobody agrees then stop working for someone who makes stupid decisions.
That's how I operate and I've never been fired, been promoted 4-5 times though.
If it's reversible, you do it.
The fact is that if the hard drive read head writes a zero, the hard drive read head will read a zero, it will not read a 0.0003 and be able to speculate that it was once a 1.
http://hardware.slashdot.org/story/08/09/06/189248/the-great-zero-challenge-remains-unaccepted
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
If it's the same project, you can the the project office to waive the requirement in the prior contract.
I came here expecting an eye-opening discussion regarding some some emerging theory of systems administration regarding "data romance".
Son, I am disappointed.
Colin Dean Go a year without DRM
I would shy away from the encryption method. The drives will be very hard to decrypt but not impossible so it's possible for someone to break the key and get the information off. Even if you use a one time pad there is still a chance of someone breaking it.
The best way to handle this is to magnetically scramble the drive using high powered magnetic fields and then continuously low level format them at least 10 times. This will render the information completely erased. At that point there is as close to a 0% chance of data retrieval as possible.
You mean like this? Maybe you should read the articles you cite before you use them to correct someone else.
As to secure destruction, encryption is quite fine, if it is modern encryption done right. (I have seen some commercial things that were just stupid....) Overwriting, as some here suggested unfortunately does not do the job, because of defect management. For sectors still in use, it is likely just as secure as encryption, but it does exactly noting for reallocated blocks. (Even more so for SSDs and flash-drives).
For Windows, TrueCrypt is a good solution. For Linux LUKS with defaults or AES in XTS mode.
But the problem is the contract. If it stipulates physical destruction, then you have to do that. There will likely be no legal way out of that.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Close. Federal criminal charges can be brought against someone intentionally doing this.
There are a number of good posts on here, and a lot of people saying "use DBAN".
99.99% of the problem space here is the process that proves the drive was wiped and the processes supporting that, 0.01% is doing the wiping.
send to me. i'll throw 'em in the burn-barrel out in the yard.
Encryption won't destroy the data. You are assuming that it is impossible to decrypt the data. As computers get faster and faster you will have a hard time trying to prove someone it can't be decrypted.
Do it the "right" way. Use the Secure Erase command added to the ATA and SCSI interface specs. http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml. Funded by the NSA until recently.
What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high.
It should have been part of the contract negotiations that the cost of the HDDs is paid for by the government. If it wasn't your company should still have padded their fee to include this cost. If it wasn't, someone should be fired. You can then destroy the drives as required by the contract and use the salary savings to pay for new drives.
I have contracted with many government agencies over 16 years. This issue is a lot larger than your one customer. When the government mandates that drives containing sensitive material be destroyed, they mean it, and will not back down, no matter how logical your alternative. The security gurus, if you can call them that, take the approach, better safe than sorry. Rather than doing an expensive study to determine if data truly is gone when you write it over dozens of times with random data, it's just easier to mandate to smash the hard drive with a 10 pound sledge dozens of times. That said, if the hard drives aren't changing hands, it seems silly to me that they'd mandate you destroy all of the old drives and start the same project over again with all new ones...unless I'm missing something. As long as the drives stay at the same classification from the same agency, usually they don't have to go anywhere. However, if the data from the old project must go away, and the new project is unrelated, I might see why they want the old data destroyed. In my experience, though, if equipment never leaves the room, and the room never changes classification, it usually stays. Remember, it's a "better safe than sorry" situation with the government. They won't listen to an alternative, because it's a government-wide security mandate, and they never deviate from those. Given a choice between listening to your security officer and listening to your intellect, listen to your security officer every time. You'll keep your job and your security clearance.
That's great IF your motherboard actually supports the command. A surprising number of SATA controllers will refuse to transmit the command (something about NSA involvement there too)...
The only person that can resolve this for you is the government contracting officer. They will have to review the requirements and decide what is an acceptable solution. You can offer up solutions, including keeping the drives in place since the equipment is staying there anyway, but they must make the call.
There hands may be tied by regulations that require physical destruction; in which case you have no choice. They may be able to approve keeping the drives. In the end, they will do whatever keeps them out of trouble; which often is to simply enforce the existing contract requirements. In that case, find a place that meets the destruction requirements. They may want to avoid that but if gov't contracting requirements require it they will do it.
It may sound ridiculous, but whatever you spend on new drives is a lot cheaper in the long run than making life difficult for the contracting officer.
I'm a consultant - I convert gibberish into cash-flow.
giving me several more years of near-guaranteed employment!
Correct me if I'm wrong, government contracting experts, but a little known factoid is that the government can just terminate any contract it wants to at any time, if it can be shown it's in the best interests of the government. Contractors, OTOH, may not.
So people have already said use DBAN. So I'll point out Symantec Ghost also wipes drives drives using the GDisk utility. Both Ghost and DBAN can wipe a drive with a DoD standard 5220.22-M wipe. Surely if it's good enough for national defense...
L8r
"How much truth can advertising buy?" - iNsuRge - AK47
And the command is dd if=/dev/zero of=/dev/hda1 given that the partition in question is hda1
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Just note that (IIRC) those standards are for non-classified data.
Classified+ require physical destruction/demilling of the drives. Some company failing to follow these stipulations when it comes to classified/S/TS/SCI data is going to lose their contract at best, or someone may face prison time at the worst.
At my Agency we use DBAN if we are going to re-use the drive. Otherwise if the drive is failed and has data on it or if it is just no longer serviceable (ye olde SCSI anyone) it goes into a burn box and IT Security takes it to a secure incineration facility. Encrypting the data and then losing the keys does not destroy the data. It just makes it unavailable to you at this moment. Next year that impossible to crack encryption might not be so far out of reach. If the contract is written that the drives get destroyed then replacing them is the cost of doing business. It is admirable to try and save money but I would rather be sure... This is the classic case of "don't leave them for dead, leave them dead".
If you've got stiff data remanence requirements in your existing contract, it sounds like you'll need to ask for a contract modification. Not knowing exactly what sort of data you're working with, I'll just say it sounds like the customer really wanted to make sure their data didn't end up on eBay by accident.
The time to have provided for an non-destructive alternative would have been when the original contract was being negotiated. That said, ask your PM to ask the customer contracts officer about it. Keep in mind that no matter how good your electronic data wiping method, nothing beats sending the platters to the hammer mill. Your new contract probably budgets for new discs, so unless you and the customer are going to realize significant savings from reuse, I wouldn't go to the mattresses over it.
Luke, help me take this mask off
Which says "As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. "
Since it's the same vendor on the same contract, there's a strong argument that it's the "same security area/zone".
Didn't someone offer a prize for anyone who could recover data from a zeroed drive?
If the contract with the government requieres to destroy the data storage device containing sensitve data, it is a known fact before the contract is signed. In this case you need a different concept for your daily work with this data and how to perform backups: - Don't store in on a SAN - Take into account, that you need to destroy your backup, too. - Recalculate your contract "cost" if you need to replace hardware at the end of the contract. - Place this "cost of contract" as a new position in your offer, because your customer has to pay compensation - if it is part of the contract, of course. - Btw. if a harddrive is defect, it has to be destroyed completly by an authorized/certified organization. Don't just throw it away. Encryption is no option if you work with government/Navy/...
Where I work (non-govermental) they are required by law to ensure data is not recoverable from surplus or decomissioned systems, even desktops and notebooks. 'Ensure' means to guarantee upon legal and regulatory penalties up to and including forfeiture of profits and punitive damages in excess of the company's net worth and revenue. In other words, the penalty is bankruptcy and dissolution.
We wish to avoid that.
There is, sadly, only one absolutely guaranteed method of preventing data recovery, and that is drive destruction. Not just drilling a hole in the platters, not just crushing them flat, but shredding them in a machine designed for that purpose, which is what happens.
Ddespite all the assurances, there are no software or hardware vendors that will also guarantee, to the extent of their demise, that their software will absolutely destroy data and still allow the drive to be reused. None. their marketing claims fail when you put them on the spot to not only guarantee, but prove, that data is not recoverable. Not when you specify the penalty for failure.
In this scenario, we shred the drives. Which renders most machines into scrap as well, selling them for a pittance as spares and inert parts. Kinda sad, I would buy my current notebook when it gets decommed, but that's just not practical since the drive will cost more than the unit is really worth.
I'm guessing one reason you're tasked with finding a solution is that this new requirement escaped attention, and the extra cost is enough to justify finding a way around it. If so, and if there are not such penalties that would make that unwise, I would recommend:
- Wipe with the best stuff available.
- Format and install an OS, probably from an image.
- Fill the drive with 'random' data. Fill to 0% free. Use smaller and smaller files to do this.
- Wipe again.
- Format and install again.
- Use a different wiper and repeat steps 1-5 Above. Twice.
- Use an different OS and repeat 1-6 above. Twice. Different data to fill the drive.
- Wipe with a third different wiper and third different OS (probably a server OS this time) and do 1-5 again. Twice. Different data to fill the drive this time also.
- Send a sample drive out to to one of the recovery specialists and pay them anything to get anything off the original data. You did put on some predictable data, right? Give them a copy - this is what they are looking for. Don't put any of this data in your OS and fill stuff, ok? If they find ANYTHING, including OS files, this is a failure. Directory entries with timestamps before your wiping count as a find.
If that seems inane, well, it's more work than a drive is worth, even with automation. You get it now don't you? Just buy the drives and let your boss whimper a little over the dollars. It's not worth the trouble.
And, yes, this is overkill. If his exposure is less than the loss of the company, then he can eliminate some of these steps. No problem. It just won't happen where I work.
deleting the extra space after periods so i can stay relevant, yeah.
Disclaimer: I AM a uniformed DoD servicemember who's duties impign upon this, but I am NOT a contract expert, nor do I know the level of data he's processing. Heck, I don't even know if you're working with the DoD.
1. Ignore all other advice in this thread about using programs to wipe HDs. Only NSA approved wiping software may be used, and the instructions would have to be followed to the letter. In this field non-approved programs aren't considered trustworthy enough. The base
2. While the DoD is moving towards 'Data at rest' encryption, it's not considered remnence security, at this time.
3. Don't view it as a security expense. View it as a contract expense. The customer is allowed to request silly things. You just work it into the contract.
4. Given that the contract has just been renewed and the contract is still in place, there should be NO need to destroy at this time. Only destroy if a HD fails, or would otherwise be replaced/become excess for whatever reason, in which case you have the replacement expense anyways. The contract should contain some blurb about 'when no longer being used for the purpose'. Given that the contract is continuing...
5. Contact your contract office/QAR for more exact details.
6. If you have to ship HD's off to be destroyed, send them to an approved facility. Being contractors, you may or may not be able to use the ones I've used.
I don't read AC A human right
I took a customers money and now I don't want to provide the service because it will cost me too much and it will eat into my profits ?
Tough.
As others have said, if this is contractual issue you'll need to renegotiate the contract - and (presumably) give some money back (like that will fly with the executives since the revenue has already been reported)... It makes no difference whether there are acceptable solutions that do not involve physically destroying the disk.
That's what the contract stipulated. Like it or lump it, that's what you signed up for when taking the money.
Why should I as tax payer allow you to make more profits for less service ?
> In short, HDDs recognize only two states, up or down.
That hasn't been true for at least 10-15 years. Modern hard drives use variable signal strength to record multiple bits into each spot. I believe the official term someone came up with was "vertical recording". In vastly simplified terms, it boils down to this: instead of storing nothing (0) or a magnetic field (1), you store nothing, weak, moderate, or strong. 4 levels = 2 bits. Increase the sensitivity and analog-digital resolution, add some DSP magic, and the number of bits per magnetic area goes way up beyond my example with 2 bits and 4 levels to 8, 16, and more. It makes the drives cheaper to make, because instead of storing single bits at precise spots, you can store clumps of bits in slightly more loosely-defined areas.
He's not advocating doing that, he's expressing incredulity that anybody would want to do so considering the meager savings.
I'm curious why you really even need "random" data to "approach irreversibility" - wouldn't writing all zeroes, then all ones, then all zeroes, then all ones a few times effectively make the original data be "forgotten"? By then, every bit has previously been one, every bit has previously been zero, multiple times?
Drive destruction requirements should have been forseen and incorporated into the budget.
So what if it's "expensive"? It's a cost of doing business, like toilet paper. The fetish for saving hard disks is silly.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I never understood this argument. I'm an Electrical Engineer, and I understand that there is an analog value that gets interpreted as a digital one or zero, but the implication that 'a weak one implies that the data was previously a zero' sort of assumes that the hard drive was only written once in the first place. What happens if, in the course of writing legitimate data to the hard drive, the bit cell was set to zero, then set to one at a later date? Wouldn't the magical forensic tool get confused and come to the wrong conclusion that the 'weak one' was really a zero, when it fact it was just a 'weak one?' If you look at the analog value for one bit, you should be seeing evidence of the entire history of that bit, though in an indecipherable way. I suppose it depends on how often the hard drive is being used, and how often it is being overwritten.
Slashdotters rightfully complain about poor government security, but for some reason snivel about destroying hard disks.
Hard disks aren't "expensive" nowadays. Classified data loss OTOH can be VERY expensive.
Shred the fucking drives.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
$40.00 USD and the title "King (or Queen) of Data Recovery".
$40.00 US DOLLARS!!! And they can keep a 60$ HDD!!! For performing a time-intensive, expensive procedure! Yeah, that totally shows everyone...
Oh and most challengers also wouldn't be able to disassemble the drive. And would have to publicly disclose the method used (heh, yeah, I can totally see the NSA jumping at the opportunity to prove some random Internet blogger wrong while disclosing all their methods). I'm sorry, but that challenge is so obviously a joke, it's actually sad, because people think it answers... well, anything. (source, BTW. Original source has absolutely zero info AFAICT.)
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Hi You don't specify which government, but let's assume it's one with an comprehensive information assurance policy. First things first. Find out who the technical authority for information assurance is in your country. Then find out what the official policy on erasing and destroying information assets are. This information may not be published, and you may need to be registered with the technical authority to access it. Then cross reference against the terms of the contract. Then do. To help you a little, most best practice policies describe a range of methods. The selection of which method depends on * the device used to hold the data - HDD, flash memory (multiple technologies), DRAM, etc * the classification / protective marking of the data (SECRET, TOP SECRET etc) * whether the device is being re-used (for new data) within the same secure facility where it was held originally, or is it being removed from that facility (for destruction) Removal methods vary from using certified data erasure products, to complete physical destruction via a specified and approved method. In any case, there will be a detailed procedure to follow, possibly also independent witnessing and certification of the destruction. In any case, there will be an explicit process to follow, as well as copious paperwork. Note the use of the phrase 'certified...products'. While tools such as DBAN may be effective, they are not approved and certified by your national technical authority for information assurance. Using a non-certified product is equivalent to using nothing, and there may be penalties if you claim to have followed the set process, but used such non approved tools. Your organisation should have an information security officer (or similar executive) who is responsible for this. Normally it is a pre-requisite to have such a professional as a pre-requisite to handling classified / protectively marked material in most countries. What you've discovered should really have been caught pre-contract signing, by your legal and/or commercial people. You need to talk to your bosses about this. Oversights such as this can destroy a business, both in terms of money and reputation. HTH g
Doesn't change the fact that you are spouting off urban legend crap with no technical basis in fact.
There are plenty of instances which show failures to recover overwritten data, zero successes. If the US government has to put your platters in an electron microscope, they're probably just going to hit you with a wrench instead.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
When it comes to something as serious as national security, "Certificates of destruction" should include the drive's serial number and identifying information and they should be written up as an affidavit or be written up "under penalty of perjury" or similar language.
The guy filling them out had better double-check to make sure the serial number on the drive he's about to throw into the shredder matches the serial number on the certificate of destruction before he signs it or he risks prison time.
Now, as for the company sending bogus drives to the shredding facility: The serial numbers on the certificates better match the ones that were originally purchased. Oh, and yes, those serial numbers should have been recorded before the drive was used to store classified data.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
My company wipes and destroys hard drives. We do it because everyone demands it. And we charge something for it. And yes, there is some degree of risk about hard drive data being recovered. Just not in proportion to the hysteria. I had a public school official loudly insist that we put her school computers at highest priority of data destruction because, she explained, some of the children who used some of the computers were mentally challenged, and she could not take the risk that someone might find the work they did on the computers and make fun of them. Here I am, 6 years later, making fun of HER.
While nothing is zero risk, it's pretty unlikely someone is going to get your data THAT way. The cases of identity theft are mostly A) stolen data IN USE (lost laptop, phishing, corporate espionage), or B) waiters and waitresses addicted to drugs (taking credit card info), or C) companies like mine who want to scare clients... and all of those are distant second to someone pilfering your mailbox. No anonymous person is rebooting anonymous Pentium 2s looking for your letter to your divorce lawyer.
Again, I'm not being reckless, and wouldn't want people to think we don't do what we promise. Just the hysteria over the risk of simple reformatting is similar, statistically, to a shark attack. Yes, you should wipe the drive, especially if you store passwords or credit card info, but I don't imagine many thieves running reverse-wiping software unless they already know the person and are looking for something specific... it's too easy to get the same information from a current PC via phishing or looking over someone's shoulder. Sometimes I suspect the whole hard drive scare was cooked up by Intuit, Microsoft, Adobe, etc. and its all about getting us to wipe off hundreds of dollars of software.
Gently reply
Your contract says the disks have to be shipped off. That's what you have to do.
In the future, I recommend reading your contracts carefully before signing them.
With all due respect, if the contract specifies destroying the drives, the associated costs should have been factored into the estimate in the first place.
WALSTIB!
However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.'
I know government contracts are long, but why is it no one read the contract before now? If you signed it without reading it, then you should expect to be surprised later. I'd say that replacing some hard drives is pretty minor. You got off easy.
RFTC = read the f-ing contract!
-- QED
Why do you assume the hard disk platter will be read by the read head?
It's not that hard to disassemble a hard disk, and there's much more sensitive equipment available. But it costs a lot more than the contest you link to.
---
Sounds like you've had the prior contract for a few years. Add in the next few years for the new contract. Sounds like six years or so. This might exceed the expected longevity of the hard drives in question. They might become ripe for a head crash or equivalent. In between contracts would probably be a less painful time to do the replacement to insure better uptime during the new contract. Perhaps getting more information on the MTBF for the drives might help decide this.
Also, the capacities of drives go up and their costs go down over time. You may need fewer, larger capacity drives to meet your requirements, so the cost might be less.
Like a good neighbor, fsck is there
I agree. You're trying to solve a commercial issue (and possible mistake) with a (poor) technical solution.
As you describe it, the original contract wanted the data destroyed at the end of the contract term. You've just had the contract *renewed*, which is another word for "extended". Why exactly would anyone want the data destroyed in mid-contract?
Your contact negotiators ought to have realised that the government didn't need you to destroy the data until the end of the new contract, and written that into the new contract, thereby over-riding the old one. More than saving you the money, it was one of your advantages as the incumbent contractor: compared with a competitor, you could perform the second contract term at lower cost simply because you could off-set the data destruction cost for which you were already contracted simply by writing into the new contract permission to defer that destruction! This would allow you to underbid any potential competitor - or if there is no likely competitor, writing deferral in would be a straight profit to you at no cost to the customer. That kind of win-win is *exactly* what your contract negotiators are paid to spot and capitalise on.
As poster above says, your contract office can still possibly rescue this by simply writing and asking for permission to not destroy the data until the end of the renewed contract term. All the same, missing this at contract negotiation time is something that should come up in somebody's annual performance assessment.
Obvious response: massive overhead in time taken to wipe individual drives. It's very, very, very slow. If it takes 4 hours a drive and you have a couple of hundred, this is a problem. This is why the correct answer is "buy cheap storage, invest in a pillar drill, destroy old drive with drillbit thru platters plus associated paperwork"
because that takes forever for a single disk. Factor in a larger number, and hell will freeze over before it's done, people will get lazy, and stuff will just get pseudo-wiped
Exactly. The government paid for the drives, and pre-paid for their destruction. Presumably you are making money on the contract. Other than trying to screw over the government for a few extra dollars profit, what is your goal?
If you are working for DoD or any armed service subsidiary, I'm pretty sure the policy is for you to have the drives destroyed before they leave your control, period. You can re-use them internally indefinitely, but at the end, they need to get physically destroyed. The various overwrite processes are usually considered "good enough" to reuse them at lower security levels until then, though.
It really depends on the terms of the contract. That's what controls. You can theorize and speculate and pontificate all you want, that contract is what they agreed to, and what the government agreed to pay for.
Now, the phrases "sent to an appropriately recognized facility" and "data remanence" make me suspect this is classified information, which would mean the contract is under NISP (National Industrial Security Program) jurisdiction. There are four possible CSAs (Cognizant Security Authorities) -- DoD, DoE, CIA, and NRC. I'm really only familiar with DoD, but I believe the rest follow suit on this. To wit:
Since Oct 2007, when ISL 2007-01 (Industrial Security Letter) was issued, overwrite methods are not acceptable for fixed disks. Degaussing or physical destruction are the only acceptable methods.
Degaussing has to be done using a deguasser which is on the NSA EPL (Evaluated Products List). This generally renders the hard disk inoperable. (Modern hard disks have their servo tracks encoded at the factory, and generally don't have field low-level format capability.)
Physical destruction has to cover the entire recording media. (e.g., "target practice" isn't acceptable.) They generally want the entire recording surface ground off, melted down, shredded to dust, and/or raised above the curie point. You can't just toss it in any old shredder.
You have to provide a certificate of destruction, saying you've done this. Failure to do so results in loss of Security Clearance, loss of contract, loss of future contract opportunities, fines, and/or jail. I wouldn't recommend it.
Now, submitter mentions they're going on to a new contract. If this is DoD, they should check the DD254 to see if it's the same classification derivation. If it is, they should be able to get approval to continue using the old systems. They should have a formal ATO (Approval To Operate) that identifies who to contact.
Now, if I'm way off base, and this isn't classified, then it's still up to what the contract says. There are various government standards that might be called out. NIST 800-88 is one; it allows for sanitization by overwrite, IIRC.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
You got to do what you were contracted to do. Shred the disks. Government security types will not accept compromise.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
If you're dealing with highly sensitive data, encrypting the drives after the fact and "losing" the key (as suggested in the original post) will not even come close to meeting the requirements for data destruction. What they're worried about is that a sufficiently determined forensic analysis with sophisticated equipment could recover magnetic traces of the previous (in this case unencrypted) data from the platters. Your suggested "solution" actually makes things worse, by adding the possibility that all copies of the key haven't been destroyed, thereby allowing the data to be easily decrypted.
Depending on how sensitive the data is, a multi-pass wipe of the entire drive with varying data patterns may be sufficient to satisfy the security requirements. But if the contract explicitly stipulates physical destruction of the media, then you must physically destroy the media... or risk jail time.
If the data isn't in fact sensitive, but the requirement for physical destruction of the equipment was written into the contract anyway, then someone screwed up.
Will it blend...?
They did, $40. As others have said, the stipulations (3 days total to analyze the drive and pull the files, drive must be in same physical condition upon return, methods must be disclosed) and the prize were a joke.
I mean really, $40 sounds like a reward a college freshman might be able to pool together in a night, not a serious offer.
I dont believe thats accurate, the term you're looking for is perpendicular recording, and referred to the direction of the magnetic field-- where once it was longitudinal and took up a larger portion of the disk for each domain, they changed it to be vertical (perpendicular to the surface of the media) to take less space for the same capacity.
Does someone on /. staff sit down and write one of these every few months on a slow news day?
Actually, any (S)ATA Security Command requires prior unlocking. As all drives are unlocked per default, malicious software may simply set a password on your harddisk to access it. If you're rebooting your box in such a situation, your BIOS prompts for the password, so effectively, your hard disk's data is held as a hostage by the malicious software.
To prevent similar issues, any likely current BIOS during the booting process sends a "security freeze" command to lock all (S)ATA drives until that drive is being reset. The obvious workaround: boot your software, remove power from the drive, re-attach power cables, set a "security password" on the drive ("secure erase" requires this) and then issue the "secure erase" command. There is also special hardware to do so (a simple hard disk interface with a single button, which results in sending "set password" and "secure erase").
If the contract says they must be destroyed at an approved facility, you'll either do that, violate the contract, or re-negotiate (no promise of success there).
Assuming the answer is re-negotiate, it's too late for the encryption then lose the key approach. You've already committed unencrypted data to the drives. You can't fix that now. Some sectors might have been marked bad and left stranded with data that must be erased, but you can't overwrite short of bypassing the controller on the drive (if even then, it depends on the sort of damage that got it marked bad).
I would guess your best bet is an addendum on the renewal that allows you to keep the old drives rather than destroy them and then load the same data back on their replacement. It may even be that the clause requiring destruction already accommodates that in the event of renewal, it may take a lawyer to determine that (for example, does the phrase upon termination kick in at the end of the contract period or does it effectively read "upon non-renewal" in this case).
If worse comes to worse, perhaps drive prices will be back to normal by spring. The actual factories weren't damaged (just the support infrastructure such as water and power) and some claim that panic buying (and perhaps a bit of gouging) rather than lost capacity is the root cause of the price increases. That could easily resolve by then.
There's many levels of data, and not all of them are classified.
Besides classification levels, you also have FOUO, Privacy Act, HIPAA, etc... Most of which require increasingly higher levels of protection.
Of course, Tricare(our healthcare system) contractors seem to LOVE losing our data and having to pay for credit monitoring...
I don't read AC A human right
The original reason HDD data was recoverable was because the head did not perfectly create or remove magnetic regions on the media. Imperfections, head wobble, electrical noise - all contributed to creating variable sized domains. Now, magnetic polarization of materials has some odd effects - one is that inducing a region of magnetic polarity doesn't swamp out a neighboring region, it will first "push" it away. So if you write "1", then "0", then "1", the thin band of magnetism from the first "1" will be at the outer most edge of the track, with another thin band of "0" and finally the actual "1" that the head sees.
The "killer app" of magnetic force microscopy was then that you could stick the platters under MFM and beat the resolution of the head for reading the data - the oldest copy of the data would be squished up at the edge of the track, the second oldest further in and so on and so forth - you could actually read back several generations of hard disk data.
Of course, since that age, technology has changed - hard disks now use RF modulation to store multiple bits per space, bit densities have shot up, and heads track much more accurately - basically, the physics has been beaten out since we are now writing much more complex data, and almost every single bit of magnetically encodeable space on a hard disk is now used to encode data - there's (very little) space between platters, and what signal you get there is likely irrecoverably fuzzed RF if you can even see it at all.
Sledgehammer and bonfire. you could schedule weekly stress releiving therapy sessions for employees.
$ unzip, strip, touch, finger, grep, mount, fsck, more, yes,fsck,fsck,fsck,umount, sleep
Usually encryption is a set and forget thing, and it works in the background...