Ask Slashdot: Data Remanence Solutions? 209
MightyMartian writes "The company I work for has just had their government contract renewed, which is good news, giving me several more years of near-guaranteed employment! However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.' Now keep in mind that we are the same organization that has been delivering this contract all along, so the equipment isn't going anywhere. What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high. I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed. I'd like to write up a report to submit to our government contract managers, and would be interested if any Slashdotters have experience with this, or have any references or citations to academic or industry papers on dealing with data remanence without destroying physical media?"
Why not digital destruction? (Score:5, Insightful)
Re: (Score:3)
One of the best uses of the Linux kernel ever!
Not to mention on hell of a fine piece of software.
Re:Why not digital destruction? (Score:4, Interesting)
There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?
How do you verify that the software does this correctly, and that it hasn't been tampered with? What if a drive is mishandled and doesn't get wiped? And if there's a process to do this correctly and with no chance of failure, is it worth that effort to recycle some old hard drives?
Where I work, hard drives with less-sensitive data can be reused; other ones are ground up into little bits. Data cannot be recovered(*) from a thoroughly destroyed hard drive. What assurance is there for a software solution?
(*) To the best of my knowledge. Maybe NSA can piece together the dust of a hard drive, but I highly doubt it.
Re:Why not digital destruction? (Score:5, Funny)
How much checking could a checker check if a checker checkering checked checks to check the checks that checked the checkering checker?
Re:Why not digital destruction? (Score:5, Interesting)
A lot of disks have "bad sector" replacement. When a sector starts to be unreadable, it replaces that sector with a spare one set aside for that purpose. Does the software wipe out these revectored sectors, or can someone read those old sectors after software overwrite?
It depends on the security threat on how serious you need to be about wiping data off drives. Sometimes just 'rm'ing files is enough. Sometimes dropping them in a volcano isn't enough.
Re: (Score:3)
Well, DBAN is open source. If you have suspicions, you're welcome to review the source compile your own version with a trusted compiler. If that isn't to your liking, there are commercial tools that do the same thing.
As for, "What if a drive is mishandled and doesn't get wiped," well, isn't that a concern with physical destruction too?
Re: (Score:3)
Well, DBAN is open source. If you have suspicions, you're welcome to review the source compile your own version with a trusted compiler. If that isn't to your liking, there are commercial tools that do the same thing.
This requires a) proving that the software is correct and b) verifying that the compiled result hasn't been tampered with. For the latter, I'll refer you to http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com].
As for, "What if a drive is mishandled and doesn't get wiped," well, isn't that a concern with physical destruction too?
Sure, the process can still be subverted, but it's a lot easier to verify that a hard drive has been destroyed (along with inventory checks on all hard drives being removed from a facility) than it is to verify that a hard drive has been properly wiped.
Re:Why not digital destruction? (Score:4)
Sure, the process can still be subverted, but it's a lot easier to verify that a hard drive has been destroyed
Imagine, if you will, someone who wanted your data and could intercept the drive for long enough to swap the platters on a drive (thus taking the important data with them). How do you verify that your data was destroyed?
One way would be to send a backup (or SHA1 hash) of the data on the drive to the data destruction facility and have them verify that the data on drive serial number 123456789 is what it is expected to be before destruction. If you aren't doing something like this, then you have no way of knowing whether your data is really gone or not. If you think this sort of thing can't happen, read some of the stories about how people get back the wrong ashes from cremations.
Re: (Score:3)
Sure, the process can still be subverted, but it's a lot easier to verify that a hard drive has been destroyed
Imagine, if you will, someone who wanted your data and could intercept the drive for long enough to swap the platters on a drive (thus taking the important data with them).
If someone wants your data and they have enough access that they can actually swap platters and smuggle the data out, then you're already in trouble. Destroying a hard drive makes it a lot less likely that data will be inadvertently leaked.
Re: (Score:3)
Re: (Score:3)
is free, and just as good.
Re: (Score:3)
shred -n# -v /dev/sdx where # is the number of passes to make.
Re: (Score:3)
pseudo-random is also slow.
Re: (Score:2, Informative)
Re:Why not digital destruction? (Score:5, Informative)
Yea, you're remembering that contest how you want to remember it. The prize was a pittance, and the "company" offering it was a handful of people. There were also ridiculous restrictions, such as not damaging the single physical drive the whole challenge was based around. And several data companies said they likely could recover some data, just not necessarily the specific file that that the challenge was based around (as a general rule, you can't target a file, you get whatever it is you get). But the process involves ripping the drives to pieces and costs significantly more than the challenge was worth. And since the challenge was issued by a handful of guys rather than an actual, large company, very little publicity would have been generated, so it wasn't worth it to anyone.
Now, even if that story happened exactly as you remember it, it's still irrelevant. The point isn't that that it's currently possible, it's that it's theoretically possible and thus may be trivial in the near or distant future. For certain kinds of data, that is a world of difference.
Re:Why not digital destruction? (Score:5, Interesting)
Yea, you're remembering that contest how you want to remember it. The prize was a pittance, and the "company" offering it was a handful of people. There were also ridiculous restrictions, such as not damaging the single physical drive the whole challenge was based around. And several data companies said they likely could recover some data, just not necessarily the specific file that that the challenge was based around (as a general rule, you can't target a file, you get whatever it is you get). But the process involves ripping the drives to pieces and costs significantly more than the challenge was worth. And since the challenge was issued by a handful of guys rather than an actual, large company, very little publicity would have been generated, so it wasn't worth it to anyone.
Now, even if that story happened exactly as you remember it, it's still irrelevant. The point isn't that that it's currently possible, it's that it's theoretically possible and thus may be trivial in the near or distant future. For certain kinds of data, that is a world of difference.
+1 for AC
In addition, they required that you release your methods for recovering the data, which I'm sure is worth a lot more than the 3-4 digits they were offering.
Re: (Score:3)
Re: (Score:3)
There was a challenge not long ago for anyone to recover any data whatsoever from a harddisk that had been overwritten just once with zeros (which should be considerably easier than one that was overwritten with random data). I don't remember what the prize was, but it was a considerable amount of money and would have been priceless publicity for any data recovery company that could pull it off.
That fact that nobody publicly proved that they could do this does not mean that it can't be done. If NSA had the capability to do this, do you think they'd share that information? If the data is sensitive enough, why risk even a very small chance that it could be recovered by the wrong party?
Re:Why not digital destruction? (Score:4, Insightful)
The old "You can recover data even after it's overwritten" thing is a myth [wikipedia.org].
Today's bit densities are so high that it simply isn't going to happen.
Format them. Run a small program to write a file (can be the output of a RNG if you want) until the disk is full. Job done.
Or, as mentioned, use one of the many programs available for this.
Take the "repeatedly overwrite" thing with a pinch of salt unless you really enjoy sitting there watching hard drive lights blinking.
Re:Why not digital destruction? (Score:5, Insightful)
Yes, but this is a government contract with specific destruction requirements. Go complain to the feds if you don't like the myth. Or maybe the government knows something we don't. Who knows?
Re: (Score:2, Informative)
The contract has explicit instructions, which your company knew when bidding the job. So, you've been paid to destroy those drives, whether your accounted it that way or not.
Do not put your company at risk of defrauding the government.
Re: (Score:3)
You've already been paid for the replacement, that was part of the fee.
Re: (Score:3)
Destroy the drive, and invoice the government for the cost of it's replacement. They'll pay it.
...and people still wonder why the economy is swirling the drain.
Re:Why not digital destruction? (Score:4, Insightful)
Its not a myth, its a theoretical possibility that either noone has the current capability to do, or they do and its simply too cost prohibitive, or else we simply dont know about it. Thats not terribly reassuring if youre dealing with data whose leak might cause jail time.
As for formatting, depending on how you format the drive, it may or may not overwrite the data at all and may leave it ripe for the picking.
Honestly, if youre dealing with government and they say "we want the drives shredded", DBAN set to a DoD approved setting MIGHT be a reasonable suggestion, as would encryption (as we can actually quantify the risk there, and it is vanishingly small), but saying "ah, just zero it once or format it, it doesnt make a difference" sounds incredibly foolhardy.
Re: Digital destruction is fine, but... (Score:2)
Re: (Score:2)
That's great IF your motherboard actually supports the command. A surprising number of SATA controllers will refuse to transmit the command (something about NSA involvement there too)...
Re:Why not digital destruction? (Score:5, Informative)
I like combining DBAN with HDDErase.
HDDErase will do an ATA low-level secure erase that tells the controller to zero out all sectors. Even though that are on the relocated table which would be inaccessible via normal software solutions.
After HDDErase does its job (which it does in a pretty quick amount of time since there is no I/O involved, but just the write head laying down zeros), running DBAN on the drive adds further insurance. Realistically, this will remove all data.
Of course, prevention is a good idea as well. This is why I have some type of FDE software on my drives. This way, a simple zeroing out of the drive will be enough. In fact, the format command in Windows will check to see if a disk is BitLocker protected and zero out the places where the volume key resides, so even if someone knew the password to the drive, it will do them no good.
Re:Why not digital destruction? (Score:4, Informative)
There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?
Some classifications of data require destruction of media. See NIST SP 800-88:
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
In NIST/DoD parlance, what DBAN is cleaning/purging; i.e., either overwrite, or invoke the SATA Secure Erase command. Degaussing is also classified as purging (though the disk becomes unusable AFAIK); degaussing is better suited towards tapes IMHO.
You also need to Validate that it has been done, and document that fact for each drive that has been sanitised.
The OP will have to ask the contract manager at what level the information is considered at (low, medium, high) and then make plans accordingly. If it's high security, one can simply purge the media if you want to re-use the media with-in an organization, but if you ever want to toss the disk (or even if it's in a RAID array and you need to replace because it died), you need to destroy it and record that fact.
So if your EMC/NetApp/Dell array has sensitive information, you can't send it back to the OEM if sensitive data ever touched it: you have to make arrangements with the OEM so that you can destroy it. Ditto for your laptop/desktop drives: if Lenovo/HP want/s the drive back, they can't have it as otherwise you'll be breaking your contract with the government.
Re:Why not digital destruction? (Score:4, Informative)
It also effectively returns non-TRIM SSDs to a factory state. Remember: when used on SATA drives, set your bios to IDE compatibility mode, not AHCI.
Re: (Score:2)
Yep, this is better than encrypting the drive in that it's possible to secret away a copy of the encryption key and later unlock all the data, or perhaps the algorithm used for encryption gets broken, so suddenly the data is readable again, and so forth.
Encryption offers no advantage over a strict drive wipe, particularly with random data. Realistically multiple passes are not needed because modern bit densities make it improbable that magnetic memory can be meaningfully recovered. Thinking it does demons
Re:Why not digital destruction? (Score:5, Insightful)
D-BAN is great... but if the contract says "Thou shalt turn over thy hard drives for destruction..." then its already been agreed on, and the cost was factored into the bid. Deal with it.
It's not up to us, or the submitter (Score:5, Informative)
It really depends on the terms of the contract. That's what controls. You can theorize and speculate and pontificate all you want, that contract is what they agreed to, and what the government agreed to pay for.
Now, the phrases "sent to an appropriately recognized facility" and "data remanence" make me suspect this is classified information, which would mean the contract is under NISP (National Industrial Security Program) jurisdiction. There are four possible CSAs (Cognizant Security Authorities) -- DoD, DoE, CIA, and NRC. I'm really only familiar with DoD, but I believe the rest follow suit on this. To wit:
Since Oct 2007, when ISL 2007-01 [dss.mil] (Industrial Security Letter) was issued, overwrite methods are not acceptable for fixed disks. Degaussing or physical destruction are the only acceptable methods.
Degaussing has to be done using a deguasser which is on the NSA EPL (Evaluated Products List). This generally renders the hard disk inoperable. (Modern hard disks have their servo tracks encoded at the factory, and generally don't have field low-level format capability.)
Physical destruction has to cover the entire recording media. (e.g., "target practice" isn't acceptable.) They generally want the entire recording surface ground off, melted down, shredded to dust, and/or raised above the curie point. You can't just toss it in any old shredder.
You have to provide a certificate of destruction, saying you've done this. Failure to do so results in loss of Security Clearance, loss of contract, loss of future contract opportunities, fines, and/or jail. I wouldn't recommend it.
Now, submitter mentions they're going on to a new contract. If this is DoD, they should check the DD254 to see if it's the same classification derivation. If it is, they should be able to get approval to continue using the old systems. They should have a formal ATO (Approval To Operate) that identifies who to contact.
Now, if I'm way off base, and this isn't classified, then it's still up to what the contract says. There are various government standards that might be called out. NIST 800-88 [nist.gov] is one; it allows for sanitization by overwrite, IIRC.
All you have to do is... (Score:3, Funny)
Re:All you have to do is... (Score:5, Insightful)
You've said it better than I could - and I'd go further to say that the fact that he considered encrypting the data and then destroying the key indicates that the OP is incompetent to be doing this kind of work. You don't destroy data by making an unreadable copy of it. You destroy it by destroying it, which could mean physical destruction, or could mean multiple overwrites (but the face that the government requirements state physical destruction implies that they have already considered and rejected this option).
Re: (Score:3)
This. Think about it. The data's on the disk in the clear. You're either going to overwrite it with random bits, or with an encrypted version of itself. Magnetically there's not a lot of difference there. If the original data can be retrieved in one scenario it can be retrieved in the other one. What's more, if you're encrypting rather than overwriting with garbage, now you have the encrypted data that can be attacked. (Obviously if the cleartext never hits the hard drive in the first place it's a co
DBAN (Score:5, Informative)
DBAN, Darik's Boot and Nuke, will wipe a hard drive to any of several government standards. If they are fine with mere software disposal of data, then DBAN is the way to go. http://www.dban.org/.
If they insist on physical destruction, I'm sure there are companies in your area that will handle that for you.
Re: (Score:3)
What about re-mapped sectors? Writing to the drive only destroys data on sectors that have not been re-mapped.
This may not be an issue because it might be a good idea to not reuse any drives with remapped sectors so those could go for shredding.
Your Problem (Score:2, Insightful)
I recommend inventing some bloated bureaucratic process that involves miles of red tape, and doesn't actually address the issue at hand.
Hell, they might give you a fucking medal for that.
Re: (Score:2)
No, the cost of hard disks is trivial. Destroy them as agreed and quit whinging.
Depends..... (Score:2, Insightful)
Assuming it a Federal gov contract, there are different standards depending on the Department. Also depends on the classification of the drive. I would go with the standards of the Department you are contracted to.
Why bother with the encryption? (Score:2)
If you just need to destroy the data then why not write random garbage to the entirety of each drive several times?
That's more certain for not being able to recover the data than using some encryption, which still has some structure and so with the application of sufficient time and resources might be recoverable.
There must be some sort of government/military specification for data disposal along the "write random garbage" lines which would satisfy your clients.
Re: (Score:2)
Why not do both? Write encrypted random garbage to the hard disks. Everyone is happy!
Re: (Score:2)
Writing random garbage to disk is the one place that ROT-13 encryption is actually good enough for.
Re: (Score:2)
Encrypting truly random data does not make it more random... You could argue that getting enough entropy to do that without an external random number generator would be hard, although Intel's upcoming chips have a DRNG that can pump out good quality entropy to go into the system RNG at speeds faster than an HDD can write sequentially.
what the fuck? set them to random bits.. (Score:2)
why don't you just set them to random bits, if that is the goal.
don't go writing that report, you'd sound silly. unless your superiors are really, really dumb.
Is destruction needed anymore? (Score:2)
It used to be that there were several ways to recover data from a wiped drive even after wiping the data and writing over it, but from what I understand that due to the size of a bit on a modern hard drive that it is impossible to read something that has been overwritten.
Easy Peasy (Score:5, Insightful)
Re:Easy Peasy (Score:4, Informative)
Totally agree, if the contract is renewed the destruction can't be necessary until termination of the extension UNLESS this is not a renewal but a NEW contract. THEN you need to ask for a WAIVER
Poor negotiation is not best fixed technically (Score:4, Insightful)
I agree. You're trying to solve a commercial issue (and possible mistake) with a (poor) technical solution.
As you describe it, the original contract wanted the data destroyed at the end of the contract term. You've just had the contract *renewed*, which is another word for "extended". Why exactly would anyone want the data destroyed in mid-contract?
Your contact negotiators ought to have realised that the government didn't need you to destroy the data until the end of the new contract, and written that into the new contract, thereby over-riding the old one. More than saving you the money, it was one of your advantages as the incumbent contractor: compared with a competitor, you could perform the second contract term at lower cost simply because you could off-set the data destruction cost for which you were already contracted simply by writing into the new contract permission to defer that destruction! This would allow you to underbid any potential competitor - or if there is no likely competitor, writing deferral in would be a straight profit to you at no cost to the customer. That kind of win-win is *exactly* what your contract negotiators are paid to spot and capitalise on.
As poster above says, your contract office can still possibly rescue this by simply writing and asking for permission to not destroy the data until the end of the renewed contract term. All the same, missing this at contract negotiation time is something that should come up in somebody's annual performance assessment.
NIST says zero-fill is enough for modern drives (Score:2)
See here:
http://en.wikipedia.org/wiki/Data_remanence#Feasibility_of_recovering_overwritten_data [wikipedia.org]
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf [nist.gov]
Zero-fill (full disk, including bad sectors) is good enough unless there's some top-secret spy tech that you need to protect against (SQUID transducers is one thing I heard?)
The contract... (Score:5, Insightful)
You will need to adhere to the contract and destroy and replace drives or the Government will rake your company over the coals during an audit. They will also then demand monies paid back, tack on a huge fine, and possibly criminal charges on anyone that failed to properly dispose of and destroy the data per the contract.
Re: (Score:3)
Pretty much. Next time read the friggin' contract, subby. If you don't adhere to the terms of the contract and the government finds out, this could well be your company's last government contract. If you're lucky.
Why would they agree? (Score:5, Insightful)
Your old contract requires the destruction of the equipment. Your new contract failed to price in its replacement. Why is this the agency's problem? If I were the client, I'm not going to go out of my way to evaluate your data destruction ideas and instead would simply request you perform the contract as agreed.
Make sure your negotiators don't foul this up for future contracts.
Re:Why would they agree? (Score:5, Insightful)
Exactly. They'll want certificates proving the drives were destroyed per the contract.
Part of your contract bottom line includes the cost of replacing those drives. If your company bid too low and won't make a profit, that's really a shame, but that's something you'll have to take up with the salesperson who wrote the proposal.
Also, realize that hard drives are only expensive *NOW*. Remember what happened in Japan that was supposed to kill the electronics market until the end of the year? In 6 month's time, the prices of hard drives will come back down. Unless your contract is only a month long, the destruction probably won't happen until then, which is probably a year or more down the road (unless it gets renewed again). In the mean time, you only destroy hard drives of PCs that are being decomissioned, so they've already been replaced and no issue at all.
Also - why are you trying to find ways around it? It's in the contract and you wouldn't have gotten it if you didn't agree to the requirement. Is it really to save the company a few bucks? Or is it the inner geek who can't see the sight of tossing a 500GB drive away?
Re: (Score:2)
Or is it the inner geek who can't see the sight of tossing a 500GB drive away?
Or more likely, the inner somethingelse, who can't see the sight of tossing 500GB of mineable data away?
Re: (Score:2, Insightful)
I think you're looking at it the wrong way.
If the original contract requires the destruction of equipment, then the original contract price covers that. Not destroying the hard drives means you should give some money back to the government since you're not completing the work you were paid for.
If they allow old equipment to be used for the new contract there should be a discount on the new contract to account for this.
Uh, your contract was renewed, so... (Score:2)
Why are you destroying the disks? Do you not need any of that data?
Why not request an addendum to the contract that postpones the destruction until a time when the contract is not renewed, or the disks fail (whichever comes first)?
As suggested by others, DBAN is good, or my preferred method is:
write garbage
dd if=/dev/urandom of=/dev/disk
then write zeros
dd if=/dev/zero of=/dev/disk
Proof (Score:2)
Re: (Score:3)
Re: (Score:2)
Exactly. (I'm suggesting that they destroy the media per contract, not try to find some cute way around it to save a dollar.)
If the contract in future can be negotiated to have the drives wiped instead of shredded, blessings.
Re: (Score:2)
That is why you do a two tier destruction process in these situations:
Tier 1 consists of a software erase, a physical degaussing and damaging the drive physically (but still keeping it in one piece). This can be accomplished either by drilling holes in the platters, or having a hydraulic ram bend the drive.
Tier 2 consists of handing the stack of bent drives to Iron Mountain or the shredding place who has the shredder online, who will hand back a certificate of destruction.
This way, the auditors are happy b
Re: (Score:2)
Not worth fighting the bureacracy on this one (Score:2)
1) When it comes to classified data, physical destruction is typically required
2) When it's a "new contract" the only way around the requirement is to amend the contract. Much easier said than done.
Your company likely doesn't have the political pull to amend the contract and/or it will be more expensive to do so than to buy new drives.
But if you CAN change the contract, then just change it to allow DoD-wiping or similar.
I think there may be a political reason to require destroying the drives and buying new
*sigh* (Score:2)
Don't try to find ways to cut costs or save money by skirting around your contractual obligations. You contract says to destroy the hard drives. You MUST destroy them. You WILL lose your contract if you do not.
If you have a Security department, take you concern to them or your Contracts Manager for this contract. They will tell you the same thing...especially if it's a classified program.
Don't go looking for a problem for your solution (Score:2)
Replacing the drives might not be a bad idea.
If the drives are a couple of years old, you might be better off destroying the drives and buying new ones. The cost of certified drive destruction is pretty cheap, new drives can be had for not much ($60 to 200 depending on whether desktop or workstation).
The lifespan of drives isn't infinite so this would be a good opportunity to replace the 3 or 4 or 5 year old drives with new ones. The incremental labor of removing the drive, putting it in the send out for s
Radia Perlman's Ephemerizer (Score:3)
I think that what you want is The Ephemerizer, by Radia Perlman (she of OSPF fame). I heard about this a few years ago at the LISA conference, and a bit of digging turned it up. From the abstract [mendeley.com]:
Google turns up this copy in PDF [filibeto.org].
Hope that helps!
Endless loop (Score:2)
> I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed
How do you destroy the key? You encrypt it and destroy the second key that you used to encrypt the first one? That's convenient, now you just have to repeat the process in a recursive manner and it should be completed in NaN years.
Re: (Score:3)
Simple: Key on usb-key, destroy that. Or use passphrases that unlock the key and destroy the master-key. For example, LUKS is implemented that way with explicit anti-forensic splitting of the master-key, i.e. if you successfully wipe just a few bytes of the master key blown up to about 100kB, you are quite secure.
Romance (Score:3)
I came here expecting an eye-opening discussion regarding some some emerging theory of systems administration regarding "data romance".
Son, I am disappointed.
Re: (Score:2)
Security != contract conformant (Score:2)
As to secure destruction, encryption is quite fine, if it is modern encryption done right. (I have seen some commercial things that were just stupid....) Overwriting, as some here suggested unfortunately does not do the job, because of defect management. For sectors still in use, it is likely just as secure as encryption, but it does exactly noting for reallocated blocks. (Even more so for SSDs and flash-drives).
For Windows, TrueCrypt is a good solution. For Linux LUKS with defaults or AES in XTS mode.
But t
Re: (Score:3)
Er... if overwriting is not sufficient due to defective sectors, then how does encrypting the data deal with those defective sectors? And how does writing an encrypted version to a SSD do a better job than writing random data to a SSD? It's worse, because you can write data to the entire SSD whereas encrypting will only write as much as you encrypt, leaving some blocks unwritten.
Re: (Score:2)
Indeed. The defectives must already have encrypted data in them that was put there _before_ they became defective.
For overwrites, HDDs, and possibly SSDs, can be wiped with a single pass of zeros. Also, you do overwrites of course on the raw device, not on the filesystem level. (May be a bit difficult to grasp and do for windows users, but is trivial on anything UNIX.)
This is a process issue not a technical issue. (Score:3)
There are a number of good posts on here, and a lot of people saying "use DBAN".
99.99% of the problem space here is the process that proves the drive was wiped and the processes supporting that, 0.01% is doing the wiping.
Re: (Score:2)
contract negotiation (Score:2)
What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high.
It should have been part of the contract negotiations that the cost of the HDDs is paid for by the government. If it wasn't your company should still have padded their fee to include this cost. If it wasn't, someone should be fired. You can then destroy the drives as required by the contract and use the salary savings to pay for new drives.
Time to get contracting involved (Score:2)
The only person that can resolve this for you is the government contracting officer. They will have to review the requirements and decide what is an acceptable solution. You can offer up solutions, including keeping the drives in place since the equipment is staying there anyway, but they must make the call.
There hands may be tied by regulations that require physical destruction; in which case you have no choice. They may be able to approve keeping the drives. In the end, they will do whatever keeps them
DBAN or Ghost (Score:2)
So people have already said use DBAN. So I'll point out Symantec Ghost also wipes drives drives using the GDisk utility. Both Ghost and DBAN can wipe a drive with a DoD standard 5220.22-M wipe. Surely if it's good enough for national defense...
L8r
Re: (Score:2)
Just because a wipe utility says it can do a DoD wipe, doesn't mean it does. Even if it does(likely), doesn't mean that the NSA&DoD has tested/audited said program to ensure that it meets the required standards(suprisingly unlikely).
Sounds Like A Contract Mod (Score:2)
If you've got stiff data remanence requirements in your existing contract, it sounds like you'll need to ask for a contract modification. Not knowing exactly what sort of data you're working with, I'll just say it sounds like the customer really wanted to make sure their data didn't end up on eBay by accident.
The time to have provided for an non-destructive alternative would have been when the original contract was being negotiated. That said, ask your PM to ask the customer contracts officer about it. Keep
Plan on losing this argument and buying new drives (Score:2)
Where I work (non-govermental) they are required by law to ensure data is not recoverable from surplus or decomissioned systems, even desktops and notebooks. 'Ensure' means to guarantee upon legal and regulatory penalties up to and including forfeiture of profits and punitive damages in excess of the company's net worth and revenue. In other words, the penalty is bankruptcy and dissolution.
We wish to avoid that.
There is, sadly, only one absolutely guaranteed method of preventing data recovery, and that is
No sympathy here. (Score:2)
Drive destruction requirements should have been forseen and incorporated into the budget.
So what if it's "expensive"? It's a cost of doing business, like toilet paper. The fetish for saving hard disks is silly.
Drive shredding is a good practice. (Score:2)
Slashdotters rightfully complain about poor government security, but for some reason snivel about destroying hard disks.
Hard disks aren't "expensive" nowadays. Classified data loss OTOH can be VERY expensive.
Shred the fucking drives.
Re: (Score:2)
Um, ghosting these drives then reporting them destroyed might just be punishable as treason.
Re: (Score:2)
Re: (Score:2)
He's not advocating doing that, he's expressing incredulity that anybody would want to do so considering the meager savings.
Re: (Score:3, Insightful)
The fact is that if the hard drive read head writes a zero, the hard drive read head will read a zero, it will not read a 0.0003 and be able to speculate that it was once a 1.
http://hardware.slashdot.org/story/08/09/06/189248/the-great-zero-challenge-remains-unaccepted [slashdot.org]
Re: (Score:2)
Re:Zero-fill? (Score:4, Informative)
$40.00 USD and the title "King (or Queen) of Data Recovery".
$40.00 US DOLLARS!!! And they can keep a 60$ HDD!!! For performing a time-intensive, expensive procedure! Yeah, that totally shows everyone...
Oh and most challengers also wouldn't be able to disassemble the drive. And would have to publicly disclose the method used (heh, yeah, I can totally see the NSA jumping at the opportunity to prove some random Internet blogger wrong while disclosing all their methods). I'm sorry, but that challenge is so obviously a joke, it's actually sad, because people think it answers... well, anything. (source [hostjury.com], BTW. Original source has absolutely zero info AFAICT.)
Re: (Score:3)
Why do you assume the hard disk platter will be read by the read head?
It's not that hard to disassemble a hard disk, and there's much more sensitive equipment available. But it costs a lot more than the contest you link to.
Re:Zero-fill? (Score:5, Informative)
You mean like this? [wikipedia.org] Maybe you should read the articles you cite before you use them to correct someone else.
Re: (Score:3)
Which says "As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. "
Since it's the same vendor on the same contract, there's a strong argument that it's the "same security area/zone".
Didn't someone offer a prize for anyone who could recover data from a zeroed drive?
Re: (Score:3)
> In short, HDDs recognize only two states, up or down.
That hasn't been true for at least 10-15 years. Modern hard drives use variable signal strength to record multiple bits into each spot. I believe the official term someone came up with was "vertical recording". In vastly simplified terms, it boils down to this: instead of storing nothing (0) or a magnetic field (1), you store nothing, weak, moderate, or strong. 4 levels = 2 bits. Increase the sensitivity and analog-digital resolution, add some DSP ma
Re: (Score:2)
I'm curious why you really even need "random" data to "approach irreversibility" - wouldn't writing all zeroes, then all ones, then all zeroes, then all ones a few times effectively make the original data be "forgotten"? By then, every bit has previously been one, every bit has previously been zero, multiple times?
Re:Zero-fill? (Score:4, Informative)
The original reason HDD data was recoverable was because the head did not perfectly create or remove magnetic regions on the media. Imperfections, head wobble, electrical noise - all contributed to creating variable sized domains. Now, magnetic polarization of materials has some odd effects - one is that inducing a region of magnetic polarity doesn't swamp out a neighboring region, it will first "push" it away. So if you write "1", then "0", then "1", the thin band of magnetism from the first "1" will be at the outer most edge of the track, with another thin band of "0" and finally the actual "1" that the head sees.
The "killer app" of magnetic force microscopy was then that you could stick the platters under MFM and beat the resolution of the head for reading the data - the oldest copy of the data would be squished up at the edge of the track, the second oldest further in and so on and so forth - you could actually read back several generations of hard disk data.
Of course, since that age, technology has changed - hard disks now use RF modulation to store multiple bits per space, bit densities have shot up, and heads track much more accurately - basically, the physics has been beaten out since we are now writing much more complex data, and almost every single bit of magnetically encodeable space on a hard disk is now used to encode data - there's (very little) space between platters, and what signal you get there is likely irrecoverably fuzzed RF if you can even see it at all.
Re: (Score:3)
Whats with the draconian data policies cropping up everywhere now?
Time after time after time people report finding sensitive data on used or off-lease systems. Replacing drives is trivial vs the risk of a breach (and also trivial vs the cost of most contracts that have such requirements)
Encryption solves the problem, if implemented and used correctly all of the time, and if no keys were lost or compromised (with or without anyone's knowledge)
Destroyed drives tell no tails.
Even the company I work for is requiring HD destruction as opposed to just a decent low level formatting.
Given that you can't actually low-level format modern drives out of the factory, I'm not sure what yo
Re: (Score:2)
Seconding this. The goal of the process is 100% certainty that the data does not become available to anyone ever again. The fact that one of the reasons you want an alternative is because it's expensive to buy new drives is a gigantic strike against you -- you've basically admitted that you want to re-use the drives. Nobody in the government is going to approve a plan that involves the re-use of drives that have had sensitive information on them. And, of course, any plan that doesn't involve drive re-use *s
Re: (Score:2)
Just note that (IIRC) those standards are for non-classified data.
Classified+ require physical destruction/demilling of the drives. Some company failing to follow these stipulations when it comes to classified/S/TS/SCI data is going to lose their contract at best, or someone may face prison time at the worst.
Re: (Score:2)
Disclaimer: I AM a uniformed DoD servicemember who's duties impign upon this, but I am NOT a contract expert, nor do I know the level of data he's processing. Heck, I don't even know if you're working with the DoD.
1. Ignore all other advice in this thread about using programs to wipe HDs. Only NSA approved wiping software may be used, and the instructions would have to be followed to the letter. In this field non-approved programs aren't considered trustworthy enough. The base
2. While the DoD is movi
Re: (Score:2)
The contract was probably written that way so that the incumbent could not undercut the competition by avoiding the costs involved in destruction and replacement. That would leave no option but to swallow that cost and do as the nice government says.