Wipe function details

[Erpo]

On Tue, 2004-03-30 at 13:00, Kyle Hasselbacher wrote:
> On Tue, Mar 30, 2004 at 09:35:53PM +0200, antalsia at free.fr wrote:
> >[...] Has someone performed advanced tests, what is the best known method
> >to erase data ? 
> 
> Simson Garfinkel wrote a while back that writing over data once is enough.
> Here's a link to the article:
> 
> http://www.simson.net/clips/2003.CSO.04.Hard_disk_risk.htm
> 
> Here's the relevant part:
> 
>     In fact, there is no unclassified evidence that data on a modern hard
>     drive can be recovered after it has been overwritten with just a single
>     pass of random information. Some have made such claims, but no such
>     recovery has ever been demonstrated in public. Today's hard drives are
>     specifically designed not to work that way. When you save a new version
>     of a Microsoft Word file on your hard drive, for instance, you want to
>     get the new not the old version.

I have a different interpretation of Garfinkel's article, and I think
it's dependent on how paranoid you are (or alternately, how much
security you need). If you don't care about anyone seeing your data,
don't do anything*. If you want to protect yourself against very casual
snooping, do an fdisk and/or reformat. If you want to protect yourself
against deliberate attempts to recover your sensitive data, it's more
complicated.

Garfinkel sums up part of the problem very well in his last sentences.
"Today's hard drives are specifically designed not to work that way.
When you save a new version of a Microsoft Word file on your hard drive,
for instance, you want to get the new not the old version." In other
words, once you've overwritten with random data the sectors that
contained your sensitive information, subsequent attempts to read data
by conventional means from those sectors will yield the random data.

The remaining concern is that somehow, a snoop might be able to take a
drive that has been overwritten a single time with random data and
recover the original private data not by attaching the drive to a
computer and issuing read commands, but by physically taking it apart
and using equipment that somehow examines the data storage medium more
carefully. Garfinkel claims that if such equipment exists, it has never
been demonstrated publically. This is not evidence that such equipment
does not exist -- only that he does not know about it (or alternately,
if you're really into conspiracy theories, that he doesn't want us to
know about it ;) ).

If that possibility troubles you, you have a number of options:
-Use multiple-pass wipes and hope that defeats the unknown data recovery
technology.
-Encrypt your sensitive information.**
-Grind your hard drives into sand when you're done with them.
-Other things I haven't thought of.


Hope that helps,

Eric



*Assuming, of course, that all you care about is your own security and
safety. You hear people say all the time that when encryption is
uncommon, sending an encrypted message could be interpreted by an
observer as shouting, "I'M DOING SOMETHING I DON'T WANT ANYONE TO KNOW
ABOUT!!" The more people who encrypt their data, the less dangerous it
becomes to be "caught" using cryptography. You might argue that the more
people who properly wipe their drives, the less drive wiping seems a
strange or suspicious activity.

**Encrypting your sensitive information is _NOT ENOUGH_. You also have
to understand the process well enough not to make mistakes that blow
your security (like using a simple passphrase, or running gpg across an
insecure channel, or decrypting your data to a temporary file and not
taking that into account, or letting the vmm swap it out to an
unencrypted storage medium, or any number of things people unknowingly
do to compromise their security). Also, note that exposing encrypted
copies of your information to the world, even when employing best
practices, is not necessarily safe. If computing power continues to
increase the way it has historically and the human race does not die
out, it will eventually become practical for someone to decrypt your
information using well-understood brute force methods. It may take 10 or
50 or 100 years for sufficiently powerful computers to be developed, but
it will eventually happen. And that's totally ignoring possible flaws in
whichever algorithm (or implementation ;) ) you're using, or significant
advances in cryptanalysis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20040330/da4a0b0f/attachment.bin