You roughly have the theory correct -- it's based on magnetic hysteresis. There's actually electrical hysteresis for flash memory (which is a thoroughly different mechanism), but it's a much different effect and not useful for trying to read remnants of past data.
However, even old, simple hard drives don't quite follow the simplistic model you're thinking of and applying this in the field is particularly challenging. (Note that in the field you don't get a copy of the past state of the drive and your ability to perform tests on it is limited. So while you can demonstrate in a lab that there is a reasonable probability of differentiating between a 1-bit written to a location that used to contain a 0-bit and one written to a location that used to contain a 1-bit, in the field all you get are measurements of the current magnetic state of the drive. Each cell could have been overwritten many, many times. Even if you have a similar disk to perform testing on, working back from a single measurement of the drive's magnetic state to its previous contents is a very challenging task.)
Modern hard drives store data in a form that is nothing like that simple model. Signals are complex and packed very closely together, to the point that hystersis effects are impossible to measure accurately enough for any attempt at data recovery. (Even Gutmann has said this.)
There are problems with many of the arguments against the scanners. The medical danger should be a concern to everyone, but evidence suggests that the danger is negligible (though possibly nonzero). The privacy danger is patently obvious and verifiable (though sometimes overstated), but it's just not a concern to many. The cost-benefit argument has the problem that the "benefit" can be very difficult to accurately measure and the government may choose not to disclose data about whether the devices are beneficial. (This is, regardless, the argument I prefer.)
That's not to say there are no problems with arguments for the scanners. At the very least (the very least), it makes sense to use the microwave scanners over the X-ray backscatter. The medical danger is known to be zero, which is even better than the backscatter's best-case of "is probably zero". Even if they're less effective, we don't seem to be relying on either system to be particularly effective.
The dosage is much less than the airport scanners. In that the dosage of ionizing radiation in airport scanners is nonzero (for X-ray backscatter type scanners) and the dosage of ionizing radiation in anti-shoplifting RFID detectors is zero. So, yeah, pretty different. I wouldn't worry about the effect, though. It's zero too.
If the machines only give one person in 100 million cancer, they're still more dangerous then the terrorism they're supposed to be preventing.
And if they give one person in 100 billion cancer, they might not be. Quantification matters, and you can be wrong by 3 orders of magnitude even with back-of-the-envelope calculations (to say nothing of the accuracy of pulling numbers out of thin air).
Says who? Do you have hard info on this type of radiation?
It depends on what you're actually asking. Amount of exposure caused by the devices? Body tissue absorption and cellular damage efficacy of radiation of that frequency? Dosage to cancer probability increase? All of these are publicly-documented. The most poorly-known factor, to my knowledge, is whether the linear-to-zero model of dosage to cancer probability is valid. It is, however, a fairly pessimistic model and the one that is used in estimating the danger of low-dose radiation.
...In context with Fukushima and a non-polluting energy source: RADIATION BAD!
In the context of nuclear power, "radiation" really is referring to radioactive isotopes and potentially-large quantities of high-energy electromagnetic radition, alpha rays, and beta rays. In the context of a nuclear accident like Fukushima, it more is referring to the uncontrolled dispersal of radioactive isotopes (which are toxic independent of their radioactivity) and the uncontrolled release of very large quantities of mostly high-energy electromagnetic radiation.
...In context with police state enabling technology: RADIATION GOOD!
In the context of backscatter X-ray scanners, "radiation" is referring to controlled exposure to a known and very small quantity of relatively low-energy (but still ionizing) electromagnetic radiation.
As another example: In context with cell phones: RADIATION MAYBE BAD?
In the context of cell phones, "radiation" is generally referring to controlled exposure to a measurable and limited (but highly variable) quantity of low-energy, non-ionizing electromagnetic radiation.
It turns out "radiation" is used in a technical context to refer to a lot of things -- to the point that it should not be used along in a technical context. In a casual context, it's used to refer to an even broader set of things -- to the point that "radiation" does not help clarify the situation (though it may serve to incite a reaction) unless you know a priori what kind of radiation you're talking about.
I'm not counting disk-erasing programs that don't erase the disk in any meaningful sense. Those aren't really disk-erasing programs so much as they are a pile of crap. (Alternately, they're a confusion about what a feature is supposed to do.)
Sadly, one of the techniques that sometimes does nothing is a vendor's implementation of the ATA (ENHANCED) SECURE ERASE UNIT command, which is a shame, because the vendor could have just declared that it doesn't implement the command.
Of course, if it's taken in a public place, your models only have any right to compensation if it's used for advertising. Your uploading to Instagram is not publication for advertising purposes, though Instagram's later re-use of it might be. (You could easily claim that it's "fine art", though that's stretching both "fine" and "art".)
Notification of change? There's two problems. One, when there's a change, Google's behavior would have to be to silently break until it could notify the user. In Firefox, a changed cert is noticed as a result of a user action, so you know the user is there to deal with the situation. Two, it's less deliberate, so realistically a lot of people are going to click through the "check the fingerprint" or "oh hey, this cert changed" screens in order to just get their POP3 working again. Making it hard for people to ignore potential serious security problems is unpopular but important.
Because they actively use them on networks and computers that are moderately secure and noticing SSL hijacking is not particularly hard. So the likelihood of someone noticing SSL hijacking is high if a lot of people are given the opportunity.
... which in addition gives the military the opportunity to spy on other, unrealted SSL communications as well. Especially, with the US military, I'd be careful about importing them as a root CA...
True, though you only do it if you have specific business with them. Hopefully you also have control of your own networks at that point, too. Of course, there are plenty of protections you can perform -- like only installing it in a VM.
It seems pretty unlikely that it's going on, particularly since it's available to a ton of contractors and SSL hijacking is not so hard to notice. I'd be much more concerned about your employer having you install their root CA on machine, as they certainly are in control of your network (and employers using SSL hijacking to monitor traffic does happen).
That's not out-of-band key distribution, though you're correct that out-of-band key distribution would solve the problem just fine, with the exception that SSL doesn't support it. It's out-of-band key verification, and it is also a solution, just one Google didn't choose to implement. I was only arguing that SSL encryption without certificate validation is worthless; not that CAs are necessarily the only way to do certificate validation.
I didn't miss it, but it's not a very good solution. It's better at that point to require the person to upload the cert or, better, the signer's cert manually.
Well, if you're such an enterprise, you're doing IT management well enough that everyone that needs to be able to validate such a cert has the root CA installed on their machine.
That's what Gutmann's paper is about, actually. As far as I know, it may have been done on test data in a lab, but it's never been put to real use in the field even once.
Or, you're a large organization and running your own CA means saving $30 x (large number N) per year. Or, you're aware that getting a "real" cert is no guarantee of security.
Or you're a large organization that trusts yourself more than you trust any CA. Like, for example, the US military, which runs its own CA.
instead of using SSL for it's encryption capabilities (Google is now forcing authentication as a bundle)
Because an encrypted communication using only an IP address for authentication is no encryption at all. Any attacker reasonably capable of intercepting your communications to read them is also capable of undetectably executing a man-in-the-middle attack on the SSL connection.
This increases security because it encourages people who actually want encrypted POP connections to use an approach that actually provides that rather than using an approach that appears to provide it but doesn't.
It would be nice to have the ability to upload the signer's cert and use that for verification, though. That enables secure use of self-signed certificates.
Doesn't really matter. If he succeeded in damaging the platters much at all, it's unrecoverable. (A damaged drive with undamaged platters is recoverable.) If he didn't, then we'll find out if he wiped it or not. If he wiped it, that's also unrecoverable.
Without the platters in perfect physical shape, you'd risk destroying the electron microscope's fragile tip.
While the MFM approach has never been used in practice and certainly doesn't work on any modern drive, the quoted sentence isn't true. MFM and STM are both quite capable of sensing the distance between the tip and the material accurately -- especially if you know in advance some information about the material's proeprties -- and automatically keeping the tip from crashing into the material. A tip crash isn't really a big deal, either. It's easy enough to make a new one or to reshape the current (deformed) tip so that it works again.
Gutmann's paper is actually the basis for the myth that you can recover data from a logically-wiped drive: that is, one that's been entirely overwritten with other data (e.g. zeroes).
I believe it's currently in a Connecticut State Police lab, and it doesn't really have much of a chance of preventing future crimes. It's high-profile enough that I'm sure they'll look in to it pretty well, but they already have a pretty significant backlog of evidence that will be used to prosecute people to prevent them from continuing to commit crimes, which is more useful.
The appropriate response is actually to just organize counter-protests that block or drown out their feeble message, until hopefully they run out of money.
Really? I'm thinking there must be some what that it's illegal to deliberately create provocative situations in an attempt to fish for torts.
At the very least, this is behavior for which you should be disbarred.
Slashdot Mirror
You roughly have the theory correct -- it's based on magnetic hysteresis. There's actually electrical hysteresis for flash memory (which is a thoroughly different mechanism), but it's a much different effect and not useful for trying to read remnants of past data.
However, even old, simple hard drives don't quite follow the simplistic model you're thinking of and applying this in the field is particularly challenging. (Note that in the field you don't get a copy of the past state of the drive and your ability to perform tests on it is limited. So while you can demonstrate in a lab that there is a reasonable probability of differentiating between a 1-bit written to a location that used to contain a 0-bit and one written to a location that used to contain a 1-bit, in the field all you get are measurements of the current magnetic state of the drive. Each cell could have been overwritten many, many times. Even if you have a similar disk to perform testing on, working back from a single measurement of the drive's magnetic state to its previous contents is a very challenging task.)
Modern hard drives store data in a form that is nothing like that simple model. Signals are complex and packed very closely together, to the point that hystersis effects are impossible to measure accurately enough for any attempt at data recovery. (Even Gutmann has said this.)
There are problems with many of the arguments against the scanners.
The medical danger should be a concern to everyone, but evidence suggests that the danger is negligible (though possibly nonzero).
The privacy danger is patently obvious and verifiable (though sometimes overstated), but it's just not a concern to many.
The cost-benefit argument has the problem that the "benefit" can be very difficult to accurately measure and the government may choose not to disclose data about whether the devices are beneficial. (This is, regardless, the argument I prefer.)
That's not to say there are no problems with arguments for the scanners. At the very least (the very least), it makes sense to use the microwave scanners over the X-ray backscatter. The medical danger is known to be zero, which is even better than the backscatter's best-case of "is probably zero". Even if they're less effective, we don't seem to be relying on either system to be particularly effective.
The dosage is much less than the airport scanners. In that the dosage of ionizing radiation in airport scanners is nonzero (for X-ray backscatter type scanners) and the dosage of ionizing radiation in anti-shoplifting RFID detectors is zero. So, yeah, pretty different. I wouldn't worry about the effect, though. It's zero too.
If the machines only give one person in 100 million cancer, they're still more dangerous then the terrorism they're supposed to be preventing.
And if they give one person in 100 billion cancer, they might not be. Quantification matters, and you can be wrong by 3 orders of magnitude even with back-of-the-envelope calculations (to say nothing of the accuracy of pulling numbers out of thin air).
Says who? Do you have hard info on this type of radiation?
It depends on what you're actually asking. Amount of exposure caused by the devices? Body tissue absorption and cellular damage efficacy of radiation of that frequency? Dosage to cancer probability increase? All of these are publicly-documented. The most poorly-known factor, to my knowledge, is whether the linear-to-zero model of dosage to cancer probability is valid. It is, however, a fairly pessimistic model and the one that is used in estimating the danger of low-dose radiation.
...In context with Fukushima and a non-polluting energy source: RADIATION BAD!
In the context of nuclear power, "radiation" really is referring to radioactive isotopes and potentially-large quantities of high-energy electromagnetic radition, alpha rays, and beta rays. In the context of a nuclear accident like Fukushima, it more is referring to the uncontrolled dispersal of radioactive isotopes (which are toxic independent of their radioactivity) and the uncontrolled release of very large quantities of mostly high-energy electromagnetic radiation.
...In context with police state enabling technology: RADIATION GOOD!
In the context of backscatter X-ray scanners, "radiation" is referring to controlled exposure to a known and very small quantity of relatively low-energy (but still ionizing) electromagnetic radiation.
As another example: In context with cell phones: RADIATION MAYBE BAD?
In the context of cell phones, "radiation" is generally referring to controlled exposure to a measurable and limited (but highly variable) quantity of low-energy, non-ionizing electromagnetic radiation.
It turns out "radiation" is used in a technical context to refer to a lot of things -- to the point that it should not be used along in a technical context. In a casual context, it's used to refer to an even broader set of things -- to the point that "radiation" does not help clarify the situation (though it may serve to incite a reaction) unless you know a priori what kind of radiation you're talking about.
Hunh. Who would've thought: context does matter!
I'm not counting disk-erasing programs that don't erase the disk in any meaningful sense. Those aren't really disk-erasing programs so much as they are a pile of crap. (Alternately, they're a confusion about what a feature is supposed to do.)
Sadly, one of the techniques that sometimes does nothing is a vendor's implementation of the ATA (ENHANCED) SECURE ERASE UNIT command, which is a shame, because the vendor could have just declared that it doesn't implement the command.
Of course, if it's taken in a public place, your models only have any right to compensation if it's used for advertising. Your uploading to Instagram is not publication for advertising purposes, though Instagram's later re-use of it might be. (You could easily claim that it's "fine art", though that's stretching both "fine" and "art".)
Fortunately the game's made up and the points don't matter.
Of course they could, but it's still an offline protocol (by necessity), so it would need to fail and stay broken until user action.
Notification of change? There's two problems. One, when there's a change, Google's behavior would have to be to silently break until it could notify the user. In Firefox, a changed cert is noticed as a result of a user action, so you know the user is there to deal with the situation. Two, it's less deliberate, so realistically a lot of people are going to click through the "check the fingerprint" or "oh hey, this cert changed" screens in order to just get their POP3 working again. Making it hard for people to ignore potential serious security problems is unpopular but important.
Because they actively use them on networks and computers that are moderately secure and noticing SSL hijacking is not particularly hard. So the likelihood of someone noticing SSL hijacking is high if a lot of people are given the opportunity.
... which in addition gives the military the opportunity to spy on other, unrealted SSL communications as well. Especially, with the US military, I'd be careful about importing them as a root CA...
True, though you only do it if you have specific business with them. Hopefully you also have control of your own networks at that point, too. Of course, there are plenty of protections you can perform -- like only installing it in a VM.
It seems pretty unlikely that it's going on, particularly since it's available to a ton of contractors and SSL hijacking is not so hard to notice. I'd be much more concerned about your employer having you install their root CA on machine, as they certainly are in control of your network (and employers using SSL hijacking to monitor traffic does happen).
That's not out-of-band key distribution, though you're correct that out-of-band key distribution would solve the problem just fine, with the exception that SSL doesn't support it. It's out-of-band key verification, and it is also a solution, just one Google didn't choose to implement. I was only arguing that SSL encryption without certificate validation is worthless; not that CAs are necessarily the only way to do certificate validation.
I didn't miss it, but it's not a very good solution. It's better at that point to require the person to upload the cert or, better, the signer's cert manually.
Well, if you're such an enterprise, you're doing IT management well enough that everyone that needs to be able to validate such a cert has the root CA installed on their machine.
That's what Gutmann's paper is about, actually. As far as I know, it may have been done on test data in a lab, but it's never been put to real use in the field even once.
Or, you're a large organization and running your own CA means saving $30 x (large number N) per year. Or, you're aware that getting a "real" cert is no guarantee of security.
Or you're a large organization that trusts yourself more than you trust any CA. Like, for example, the US military, which runs its own CA.
instead of using SSL for it's encryption capabilities (Google is now forcing authentication as a bundle)
Because an encrypted communication using only an IP address for authentication is no encryption at all. Any attacker reasonably capable of intercepting your communications to read them is also capable of undetectably executing a man-in-the-middle attack on the SSL connection.
This increases security because it encourages people who actually want encrypted POP connections to use an approach that actually provides that rather than using an approach that appears to provide it but doesn't.
It would be nice to have the ability to upload the signer's cert and use that for verification, though. That enables secure use of self-signed certificates.
It's not difficult and it's probably quite factual to say, "the drive was destroyed beyond recovery".
Doesn't really matter. If he succeeded in damaging the platters much at all, it's unrecoverable. (A damaged drive with undamaged platters is recoverable.) If he didn't, then we'll find out if he wiped it or not. If he wiped it, that's also unrecoverable.
Without the platters in perfect physical shape, you'd risk destroying the electron microscope's fragile tip.
While the MFM approach has never been used in practice and certainly doesn't work on any modern drive, the quoted sentence isn't true. MFM and STM are both quite capable of sensing the distance between the tip and the material accurately -- especially if you know in advance some information about the material's proeprties -- and automatically keeping the tip from crashing into the material. A tip crash isn't really a big deal, either. It's easy enough to make a new one or to reshape the current (deformed) tip so that it works again.
Gutmann's paper is actually the basis for the myth that you can recover data from a logically-wiped drive: that is, one that's been entirely overwritten with other data (e.g. zeroes).
That, too, cannot be done.
I believe it's currently in a Connecticut State Police lab, and it doesn't really have much of a chance of preventing future crimes. It's high-profile enough that I'm sure they'll look in to it pretty well, but they already have a pretty significant backlog of evidence that will be used to prosecute people to prevent them from continuing to commit crimes, which is more useful.
The appropriate response is actually to just organize counter-protests that block or drown out their feeble message, until hopefully they run out of money.
Really? I'm thinking there must be some what that it's illegal to deliberately create provocative situations in an attempt to fish for torts.
At the very least, this is behavior for which you should be disbarred.
Headline: Area man cites actual Supreme Court ruling instead of inventing own interpretation of Constitution