Slashdot Mirror
Ask Slashdot: Data Remanence Solutions?
MightyMartian writes "The company I work for has just had their government contract renewed, which is good news, giving me several more years of near-guaranteed employment! However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.' Now keep in mind that we are the same organization that has been delivering this contract all along, so the equipment isn't going anywhere. What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high. I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed. I'd like to write up a report to submit to our government contract managers, and would be interested if any Slashdotters have experience with this, or have any references or citations to academic or industry papers on dealing with data remanence without destroying physical media?"
There is software out there (like D-BAN) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?
We all know what to do, but we don't know how to get re-elected once we have done it
...burn it to an optical disc, then shred the disc! :)
DBAN, Darik's Boot and Nuke, will wipe a hard drive to any of several government standards. If they are fine with mere software disposal of data, then DBAN is the way to go. http://www.dban.org/.
If they insist on physical destruction, I'm sure there are companies in your area that will handle that for you.
Assuming it a Federal gov contract, there are different standards depending on the Department. Also depends on the classification of the drive. I would go with the standards of the Department you are contracted to.
If you believe the data shouldn't be destroyed, have your contracting office send the government contracting officer letter requesting the requirement be deffered until the end of the new contract.
Why not do both? Write encrypted random garbage to the hard disks. Everyone is happy!
The contract states that it must be physically destroyed. Depending on what kind of business you are in, the government will only accept physical destruction of a drive if classified data was ever on it.
You will need to adhere to the contract and destroy and replace drives or the Government will rake your company over the coals during an audit. They will also then demand monies paid back, tack on a huge fine, and possibly criminal charges on anyone that failed to properly dispose of and destroy the data per the contract.
Your old contract requires the destruction of the equipment. Your new contract failed to price in its replacement. Why is this the agency's problem? If I were the client, I'm not going to go out of my way to evaluate your data destruction ideas and instead would simply request you perform the contract as agreed.
Make sure your negotiators don't foul this up for future contracts.
1) When it comes to classified data, physical destruction is typically required
2) When it's a "new contract" the only way around the requirement is to amend the contract. Much easier said than done.
Your company likely doesn't have the political pull to amend the contract and/or it will be more expensive to do so than to buy new drives.
But if you CAN change the contract, then just change it to allow DoD-wiping or similar.
I think there may be a political reason to require destroying the drives and buying new ones: It makes sure that both the incumbent company (you) and any other bidders are on "a level playing field" - that is, you won't be able to reduce your bid by the cost of the drives.
There is also a technical benefit: You are going to start with brand new drives, reducing the odds of drive failures mid-project.
I would recommend your company modify FUTURE contract negotiations to specifically allow for re-using media if the contract is extended or replaced with a contract that is doing substantially the same work AND substantially the same group of employees/subcontractors have physical access to the computers or servers.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I think that what you want is The Ephemerizer, by Radia Perlman (she of OSPF fame). I heard about this a few years ago at the LISA conference, and a bit of digging turned it up. From the abstract:
Google turns up this copy in PDF.
Hope that helps!
Carousel is a lie!
If it's reversible, you do it.
The fact is that if the hard drive read head writes a zero, the hard drive read head will read a zero, it will not read a 0.0003 and be able to speculate that it was once a 1.
http://hardware.slashdot.org/story/08/09/06/189248/the-great-zero-challenge-remains-unaccepted
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Whats with the draconian data policies cropping up everywhere now?
Time after time after time people report finding sensitive data on used or off-lease systems. Replacing drives is trivial vs the risk of a breach (and also trivial vs the cost of most contracts that have such requirements)
Encryption solves the problem, if implemented and used correctly all of the time, and if no keys were lost or compromised (with or without anyone's knowledge)
Destroyed drives tell no tails.
Even the company I work for is requiring HD destruction as opposed to just a decent low level formatting.
Given that you can't actually low-level format modern drives out of the factory, I'm not sure what you're suggesting here.
Give a man a fish, he'll eat for a day, but teach a man to phish...
I came here expecting an eye-opening discussion regarding some some emerging theory of systems administration regarding "data romance".
Son, I am disappointed.
Colin Dean Go a year without DRM
You mean like this? Maybe you should read the articles you cite before you use them to correct someone else.
There are a number of good posts on here, and a lot of people saying "use DBAN".
99.99% of the problem space here is the process that proves the drive was wiped and the processes supporting that, 0.01% is doing the wiping.
Do it the "right" way. Use the Secure Erase command added to the ATA and SCSI interface specs. http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml. Funded by the NSA until recently.
What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high.
It should have been part of the contract negotiations that the cost of the HDDs is paid for by the government. If it wasn't your company should still have padded their fee to include this cost. If it wasn't, someone should be fired. You can then destroy the drives as required by the contract and use the salary savings to pay for new drives.
Simple: Key on usb-key, destroy that. Or use passphrases that unlock the key and destroy the master-key. For example, LUKS is implemented that way with explicit anti-forensic splitting of the master-key, i.e. if you successfully wipe just a few bytes of the master key blown up to about 100kB, you are quite secure.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Er... if overwriting is not sufficient due to defective sectors, then how does encrypting the data deal with those defective sectors? And how does writing an encrypted version to a SSD do a better job than writing random data to a SSD? It's worse, because you can write data to the entire SSD whereas encrypting will only write as much as you encrypt, leaving some blocks unwritten.
Which says "As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. "
Since it's the same vendor on the same contract, there's a strong argument that it's the "same security area/zone".
Didn't someone offer a prize for anyone who could recover data from a zeroed drive?
> In short, HDDs recognize only two states, up or down.
That hasn't been true for at least 10-15 years. Modern hard drives use variable signal strength to record multiple bits into each spot. I believe the official term someone came up with was "vertical recording". In vastly simplified terms, it boils down to this: instead of storing nothing (0) or a magnetic field (1), you store nothing, weak, moderate, or strong. 4 levels = 2 bits. Increase the sensitivity and analog-digital resolution, add some DSP magic, and the number of bits per magnetic area goes way up beyond my example with 2 bits and 4 levels to 8, 16, and more. It makes the drives cheaper to make, because instead of storing single bits at precise spots, you can store clumps of bits in slightly more loosely-defined areas.
$40.00 USD and the title "King (or Queen) of Data Recovery".
$40.00 US DOLLARS!!! And they can keep a 60$ HDD!!! For performing a time-intensive, expensive procedure! Yeah, that totally shows everyone...
Oh and most challengers also wouldn't be able to disassemble the drive. And would have to publicly disclose the method used (heh, yeah, I can totally see the NSA jumping at the opportunity to prove some random Internet blogger wrong while disclosing all their methods). I'm sorry, but that challenge is so obviously a joke, it's actually sad, because people think it answers... well, anything. (source, BTW. Original source has absolutely zero info AFAICT.)
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Why do you assume the hard disk platter will be read by the read head?
It's not that hard to disassemble a hard disk, and there's much more sensitive equipment available. But it costs a lot more than the contest you link to.
I agree. You're trying to solve a commercial issue (and possible mistake) with a (poor) technical solution.
As you describe it, the original contract wanted the data destroyed at the end of the contract term. You've just had the contract *renewed*, which is another word for "extended". Why exactly would anyone want the data destroyed in mid-contract?
Your contact negotiators ought to have realised that the government didn't need you to destroy the data until the end of the new contract, and written that into the new contract, thereby over-riding the old one. More than saving you the money, it was one of your advantages as the incumbent contractor: compared with a competitor, you could perform the second contract term at lower cost simply because you could off-set the data destruction cost for which you were already contracted simply by writing into the new contract permission to defer that destruction! This would allow you to underbid any potential competitor - or if there is no likely competitor, writing deferral in would be a straight profit to you at no cost to the customer. That kind of win-win is *exactly* what your contract negotiators are paid to spot and capitalise on.
As poster above says, your contract office can still possibly rescue this by simply writing and asking for permission to not destroy the data until the end of the renewed contract term. All the same, missing this at contract negotiation time is something that should come up in somebody's annual performance assessment.
It really depends on the terms of the contract. That's what controls. You can theorize and speculate and pontificate all you want, that contract is what they agreed to, and what the government agreed to pay for.
Now, the phrases "sent to an appropriately recognized facility" and "data remanence" make me suspect this is classified information, which would mean the contract is under NISP (National Industrial Security Program) jurisdiction. There are four possible CSAs (Cognizant Security Authorities) -- DoD, DoE, CIA, and NRC. I'm really only familiar with DoD, but I believe the rest follow suit on this. To wit:
Since Oct 2007, when ISL 2007-01 (Industrial Security Letter) was issued, overwrite methods are not acceptable for fixed disks. Degaussing or physical destruction are the only acceptable methods.
Degaussing has to be done using a deguasser which is on the NSA EPL (Evaluated Products List). This generally renders the hard disk inoperable. (Modern hard disks have their servo tracks encoded at the factory, and generally don't have field low-level format capability.)
Physical destruction has to cover the entire recording media. (e.g., "target practice" isn't acceptable.) They generally want the entire recording surface ground off, melted down, shredded to dust, and/or raised above the curie point. You can't just toss it in any old shredder.
You have to provide a certificate of destruction, saying you've done this. Failure to do so results in loss of Security Clearance, loss of contract, loss of future contract opportunities, fines, and/or jail. I wouldn't recommend it.
Now, submitter mentions they're going on to a new contract. If this is DoD, they should check the DD254 to see if it's the same classification derivation. If it is, they should be able to get approval to continue using the old systems. They should have a formal ATO (Approval To Operate) that identifies who to contact.
Now, if I'm way off base, and this isn't classified, then it's still up to what the contract says. There are various government standards that might be called out. NIST 800-88 is one; it allows for sanitization by overwrite, IIRC.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
The original reason HDD data was recoverable was because the head did not perfectly create or remove magnetic regions on the media. Imperfections, head wobble, electrical noise - all contributed to creating variable sized domains. Now, magnetic polarization of materials has some odd effects - one is that inducing a region of magnetic polarity doesn't swamp out a neighboring region, it will first "push" it away. So if you write "1", then "0", then "1", the thin band of magnetism from the first "1" will be at the outer most edge of the track, with another thin band of "0" and finally the actual "1" that the head sees.
The "killer app" of magnetic force microscopy was then that you could stick the platters under MFM and beat the resolution of the head for reading the data - the oldest copy of the data would be squished up at the edge of the track, the second oldest further in and so on and so forth - you could actually read back several generations of hard disk data.
Of course, since that age, technology has changed - hard disks now use RF modulation to store multiple bits per space, bit densities have shot up, and heads track much more accurately - basically, the physics has been beaten out since we are now writing much more complex data, and almost every single bit of magnetically encodeable space on a hard disk is now used to encode data - there's (very little) space between platters, and what signal you get there is likely irrecoverably fuzzed RF if you can even see it at all.