×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Data Remanence Solutions?

samzenpus posted more than 2 years ago | from the disintegration-ray dept.

Encryption 209

MightyMartian writes "The company I work for has just had their government contract renewed, which is good news, giving me several more years of near-guaranteed employment! However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.' Now keep in mind that we are the same organization that has been delivering this contract all along, so the equipment isn't going anywhere. What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high. I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed. I'd like to write up a report to submit to our government contract managers, and would be interested if any Slashdotters have experience with this, or have any references or citations to academic or industry papers on dealing with data remanence without destroying physical media?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

209 comments

Why not digital destruction? (4, Insightful)

quanticle (843097) | more than 2 years ago | (#38151370)

There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?

Re:Why not digital destruction? (2)

Capt.DrumkenBum (1173011) | more than 2 years ago | (#38151534)

+1 on D-BAN.
One of the best uses of the Linux kernel ever!
Not to mention on hell of a fine piece of software.

Re:Why not digital destruction? (3, Interesting)

1729 (581437) | more than 2 years ago | (#38151582)

There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?

How do you verify that the software does this correctly, and that it hasn't been tampered with? What if a drive is mishandled and doesn't get wiped? And if there's a process to do this correctly and with no chance of failure, is it worth that effort to recycle some old hard drives?

Where I work, hard drives with less-sensitive data can be reused; other ones are ground up into little bits. Data cannot be recovered(*) from a thoroughly destroyed hard drive. What assurance is there for a software solution?

(*) To the best of my knowledge. Maybe NSA can piece together the dust of a hard drive, but I highly doubt it.

Re:Why not digital destruction? (5, Funny)

Anonymous Coward | more than 2 years ago | (#38151690)

How much checking could a checker check if a checker checkering checked checks to check the checks that checked the checkering checker?

Re:Why not digital destruction? (1)

Anonymous Coward | more than 2 years ago | (#38151988)

I'll check and get back to you on that one.

Re:Why not digital destruction? (2)

msauve (701917) | more than 2 years ago | (#38151610)

dd if=/dev/random of=/dev/sdx

is free, and just as good.

Re:Why not digital destruction? (0)

Anonymous Coward | more than 2 years ago | (#38151712)

Except it isn't. Use D-BAN.

Re:Why not digital destruction? (3, Insightful)

Joce640k (829181) | more than 2 years ago | (#38151628)

The old "You can recover data even after it's overwritten" thing is a myth [wikipedia.org].

Today's bit densities are so high that it simply isn't going to happen.

Format them. Run a small program to write a file (can be the output of a RNG if you want) until the disk is full. Job done.

Or, as mentioned, use one of the many programs available for this.

Take the "repeatedly overwrite" thing with a pinch of salt unless you really enjoy sitting there watching hard drive lights blinking.

Re:Why not digital destruction? (4, Insightful)

Sancho (17056) | more than 2 years ago | (#38151940)

Yes, but this is a government contract with specific destruction requirements. Go complain to the feds if you don't like the myth. Or maybe the government knows something we don't. Who knows?

Re: Digital destruction is fine, but... (2)

XipX (615675) | more than 2 years ago | (#38151692)

Do it the "right" way. Use the Secure Erase command added to the ATA and SCSI interface specs. http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml. Funded by the NSA until recently.

Re: Digital destruction is fine, but... (1)

Moryath (553296) | more than 2 years ago | (#38151720)

That's great IF your motherboard actually supports the command. A surprising number of SATA controllers will refuse to transmit the command (something about NSA involvement there too)...

Re:Why not digital destruction? (4, Informative)

mlts (1038732) | more than 2 years ago | (#38151740)

I like combining DBAN with HDDErase.

HDDErase will do an ATA low-level secure erase that tells the controller to zero out all sectors. Even though that are on the relocated table which would be inaccessible via normal software solutions.

After HDDErase does its job (which it does in a pretty quick amount of time since there is no I/O involved, but just the write head laying down zeros), running DBAN on the drive adds further insurance. Realistically, this will remove all data.

Of course, prevention is a good idea as well. This is why I have some type of FDE software on my drives. This way, a simple zeroing out of the drive will be enough. In fact, the format command in Windows will check to see if a disk is BitLocker protected and zero out the places where the volume key resides, so even if someone knew the password to the drive, it will do them no good.

Re:Why not digital destruction? (4, Informative)

Anonymous Coward | more than 2 years ago | (#38151784)

There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?

Some classifications of data require destruction of media. See NIST SP 800-88:

http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

In NIST/DoD parlance, what DBAN is cleaning/purging; i.e., either overwrite, or invoke the SATA Secure Erase command. Degaussing is also classified as purging (though the disk becomes unusable AFAIK); degaussing is better suited towards tapes IMHO.

You also need to Validate that it has been done, and document that fact for each drive that has been sanitised.

The OP will have to ask the contract manager at what level the information is considered at (low, medium, high) and then make plans accordingly. If it's high security, one can simply purge the media if you want to re-use the media with-in an organization, but if you ever want to toss the disk (or even if it's in a RAID array and you need to replace because it died), you need to destroy it and record that fact.

So if your EMC/NetApp/Dell array has sensitive information, you can't send it back to the OEM if sensitive data ever touched it: you have to make arrangements with the OEM so that you can destroy it. Ditto for your laptop/desktop drives: if Lenovo/HP want/s the drive back, they can't have it as otherwise you'll be breaking your contract with the government.

Re:Why not digital destruction? (3, Informative)

EdZ (755139) | more than 2 years ago | (#38151840)

No need even for DBAN. Unless you're using truly ancient decade-old HDDs, use the ATA SECURE ERASE command built into the HDD controller. Much faster than DBAN, and wipes not only the accessible sectors but sectors in the G-list. Plus it's NIST and NSA approved, so it should be complaint with any government requirements for data destruction.

It also effectively returns non-TRIM SSDs to a factory state. Remember: when used on SATA drives, set your bios to IDE compatibility mode, not AHCI.

Re:Why not digital destruction? (1)

nahdude812 (88157) | more than 2 years ago | (#38151848)

Yep, this is better than encrypting the drive in that it's possible to secret away a copy of the encryption key and later unlock all the data, or perhaps the algorithm used for encryption gets broken, so suddenly the data is readable again, and so forth.

Encryption offers no advantage over a strict drive wipe, particularly with random data. Realistically multiple passes are not needed because modern bit densities make it improbable that magnetic memory can be meaningfully recovered. Thinking it does demonstrates failed thinking. If you're encrypting just certain files, then empty sectors may still contain unencrypted data. If you're encrypting the whole drive with the intention that it's unrecoverable, then random passes are the same thing.

However, I see any soft destruction as most likely being completely out of the question. It's impossible to look at the outside of a drive and know if it's been correctly wiped, no matter how good the wipe process was. To audit the destruction you'd have to load up each disk and examine it electronically one at a time. And if full-disk encryption was used (maliciously), but it was advertised as a random wipe, that would be impossible to spot.

If it's not your own data that you're destroying, physical destruction of the device is the only way to be sure it was done as advertised.

Re:Why not digital destruction? (5, Insightful)

Local ID10T (790134) | more than 2 years ago | (#38151916)

D-BAN is great... but if the contract says "Thou shalt turn over thy hard drives for destruction..." then its already been agreed on, and the cost was factored into the bid. Deal with it.

All you have to do is... (3, Funny)

WhitePanther5000 (766529) | more than 2 years ago | (#38151376)

...burn it to an optical disc, then shred the disc! :)

Re:All you have to do is... (4, Insightful)

PhilHibbs (4537) | more than 2 years ago | (#38151744)

You've said it better than I could - and I'd go further to say that the fact that he considered encrypting the data and then destroying the key indicates that the OP is incompetent to be doing this kind of work. You don't destroy data by making an unreadable copy of it. You destroy it by destroying it, which could mean physical destruction, or could mean multiple overwrites (but the face that the government requirements state physical destruction implies that they have already considered and rejected this option).

DBAN (5, Informative)

jd142 (129673) | more than 2 years ago | (#38151386)

DBAN, Darik's Boot and Nuke, will wipe a hard drive to any of several government standards. If they are fine with mere software disposal of data, then DBAN is the way to go. http://www.dban.org/.

If they insist on physical destruction, I'm sure there are companies in your area that will handle that for you.

Re:DBAN (2)

whoever57 (658626) | more than 2 years ago | (#38151612)

What about re-mapped sectors? Writing to the drive only destroys data on sectors that have not been re-mapped.

This may not be an issue because it might be a good idea to not reuse any drives with remapped sectors so those could go for shredding.

Zero-fill? (0)

Anonymous Coward | more than 2 years ago | (#38151392)

I don't know if it would be a government approved method, but it damn well should be.

Just google search how to run a zero-fill of a hard drive with Linux. The command is something like dd if=/dev/zero of=/dev/sda bs=1M . It will overwrite every bit of the drive with zeroes. It doesn't destroy the hardware, but the data is absolutely, irreversably gone.

Re:Zero-fill? (-1)

Baloroth (2370816) | more than 2 years ago | (#38151536)

Not irreversible, sorry. That technique allows you to reconstruct most of the data, because of the digital nature of hard drives. In short, HDDs recognize only two states, up or down. Zeroing puts all of them in a "down" (or up I don't really know which HDD use), but the magnetic domains won't all be aligned down, they will just be pointing somewhere down-ish (below the horizontal plane is sufficient). A detailed examination of the domains through custom drive firmware will allow you to reconstruct which domains were originally one, as those domains will be less down-wards than the rest.

Actually I'm pretty sure zeroing is completely or nearly completely reversible. Random data would be slightly better (maybe), but still wouldn't work for the same reason. Google "magnetic remanence" next time you want to make an actually informed post. You need multiple passes using random data to approach irreversibility, and even that isn't good enough for government work.

Re:Zero-fill? (2, Insightful)

Shatrat (855151) | more than 2 years ago | (#38151586)

If it's reversible, you do it.
The fact is that if the hard drive read head writes a zero, the hard drive read head will read a zero, it will not read a 0.0003 and be able to speculate that it was once a 1.

http://hardware.slashdot.org/story/08/09/06/189248/the-great-zero-challenge-remains-unaccepted [slashdot.org]

Re:Zero-fill? (1)

Shatrat (855151) | more than 2 years ago | (#38151786)

And the command is dd if=/dev/zero of=/dev/hda1 given that the partition in question is hda1

Re:Zero-fill? (4, Informative)

ajlitt (19055) | more than 2 years ago | (#38151648)

You mean like this? [wikipedia.org] Maybe you should read the articles you cite before you use them to correct someone else.

Re:Zero-fill? (2)

Beryllium Sphere(tm) (193358) | more than 2 years ago | (#38151968)

Which says "As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. "

Since it's the same vendor on the same contract, there's a strong argument that it's the "same security area/zone".

Didn't someone offer a prize for anyone who could recover data from a zeroed drive?

Re:Zero-fill? (0)

Anonymous Coward | more than 2 years ago | (#38151682)

I followed your google advice and found http://en.wikipedia.org/wiki/Data_remanence#Feasibility_of_recovering_overwritten_data
Is that the information you are referring to?

Why not wipe it? (0)

Anonymous Coward | more than 2 years ago | (#38151394)

Overwrite the drive several times using a wipe tool. How would encrypting it be preferable?

Your Problem (1, Insightful)

CanHasDIY (1672858) | more than 2 years ago | (#38151400)

... is that your idea is logical, rational, and sensible, and therefore will not be considered an acceptable solution.

I recommend inventing some bloated bureaucratic process that involves miles of red tape, and doesn't actually address the issue at hand.

Hell, they might give you a fucking medal for that.

Re:Your Problem (1)

pinfall (2430412) | more than 2 years ago | (#38151460)

Don't forget to showcase your assanine solution to other government agencies (behind closed doors of course, for security's sake), and solidify your position as an official data remanence destruction facility.
Proft.

Re:Your Problem (0)

Anonymous Coward | more than 2 years ago | (#38151528)

no shit, this is hilarious, love working for the government, however since this guy is a contractor why not just create a company policy that exactly matches their requirements. Bada boom bada bing. a slightly more soluble rendition of my parent post.

Depends..... (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38151408)

Assuming it a Federal gov contract, there are different standards depending on the Department. Also depends on the classification of the drive. I would go with the standards of the Department you are contracted to.

Why bother with the encryption? (1)

PSVMOrnot (885854) | more than 2 years ago | (#38151410)

If you just need to destroy the data then why not write random garbage to the entirety of each drive several times?

That's more certain for not being able to recover the data than using some encryption, which still has some structure and so with the application of sufficient time and resources might be recoverable.

There must be some sort of government/military specification for data disposal along the "write random garbage" lines which would satisfy your clients.

Re:Why bother with the encryption? (2)

tippe (1136385) | more than 2 years ago | (#38151442)

Why not do both? Write encrypted random garbage to the hard disks. Everyone is happy!

Re:Why bother with the encryption? (1)

greg1104 (461138) | more than 2 years ago | (#38152002)

Writing random garbage to disk is the one place that ROT-13 encryption is actually good enough for.

Seems like overkill... (0)

Anonymous Coward | more than 2 years ago | (#38151414)

Why encrypt the data and destroy the key? Why not just destroy the original data? A 9 pass random overwrite should be more than sufficient.

what the fuck? set them to random bits.. (1)

gl4ss (559668) | more than 2 years ago | (#38151422)

why don't you just set them to random bits, if that is the goal.

don't go writing that report, you'd sound silly. unless your superiors are really, really dumb.

Re:what the fuck? set them to random bits.. (0)

Anonymous Coward | more than 2 years ago | (#38151456)

unless your superiors are really, really dumb.

He's contracted by the Government. I'll let you write your own punchline...

Is destruction needed anymore? (1)

Jeng (926980) | more than 2 years ago | (#38151426)

It used to be that there were several ways to recover data from a wiped drive even after wiping the data and writing over it, but from what I understand that due to the size of a bit on a modern hard drive that it is impossible to read something that has been overwritten.

dban (0)

dissy (172727) | more than 2 years ago | (#38151432)

http://www.dban.org/ [dban.org]

Dariks Boot and Nuke.

Set it to multi-pass with random data to wipe. One pass will be fine to destroy the data. Set higher to impress the management if you have the time.

Attach multiple pATA and sATA drives spread on as many buses as possible. It will run in parallel in those cases and thus finish quicker.

They support military and DOD level wiping (Many passes, many methods of generating patterns and randomness to interleave)

Easy Peasy (5, Insightful)

danwesnor (896499) | more than 2 years ago | (#38151434)

If you believe the data shouldn't be destroyed, have your contracting office send the government contracting officer letter requesting the requirement be deffered until the end of the new contract.

Re:Easy Peasy (0)

Anonymous Coward | more than 2 years ago | (#38151696)

That's actually the best idea I've heard so far, and I'm a government contractor. On the other hand, most contracts like that are plenty lucrative. Depending on the economics, just bite your tongue and do what you've been requested by the feds. Risking your contract over something that small isn't worth it.

Re:Easy Peasy (4, Informative)

rjstott (209851) | more than 2 years ago | (#38151718)

Totally agree, if the contract is renewed the destruction can't be necessary until termination of the extension UNLESS this is not a renewal but a NEW contract. THEN you need to ask for a WAIVER

wrong question (0)

Anonymous Coward | more than 2 years ago | (#38151436)

Just destroy the drives AS REQUIRED BY THE CONTRACT. It's not that big a deal.

Destruction onfortuantly means literal destruction (0)

Anonymous Coward | more than 2 years ago | (#38151444)

There are a number of frameworks, best practices, regulations, and (in your case) contracts that mention hard drive destruction. 99% of the time to comply with those requirements you have to actually shred the drive, and have a certificate of destruction for each drive (sometimes signed/notarized by both a company representative who witnessed the destruction and the company doing the destruction). Recent reports have shown that digital destruction (DBAN as mentioned above) with only a few passes is sufficient for real security, but that doesn't matter. I know of several organizations that DBAN server drives, degauss them, drill holes in them themselves, then have them picked up to be shredded. The extra safety/security that whole process gives is minimal, and they do it not to be more secure, but because they have to meet random government policies or contracts that require all those steps be taken.

NIST says zero-fill is enough for modern drives (1)

GameboyRMH (1153867) | more than 2 years ago | (#38151448)

See here:

http://en.wikipedia.org/wiki/Data_remanence#Feasibility_of_recovering_overwritten_data [wikipedia.org]
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf [nist.gov]

Zero-fill (full disk, including bad sectors) is good enough unless there's some top-secret spy tech that you need to protect against (SQUID transducers is one thing I heard?)

Re:NIST says zero-fill is enough for modern drives (1)

ThinkDifferently (853608) | more than 2 years ago | (#38151804)

Too bad the security officers haven't caught up with this news, because all pretty much just require destruction still.

As with any other government coverup (-1, Troll)

scottbomb (1290580) | more than 2 years ago | (#38151452)

Destroy the drives. Be rid of that evidence! Obama's up for re-election and he needs your help.

The contract... (4, Insightful)

Taelron (1046946) | more than 2 years ago | (#38151454)

The contract states that it must be physically destroyed. Depending on what kind of business you are in, the government will only accept physical destruction of a drive if classified data was ever on it.
You will need to adhere to the contract and destroy and replace drives or the Government will rake your company over the coals during an audit. They will also then demand monies paid back, tack on a huge fine, and possibly criminal charges on anyone that failed to properly dispose of and destroy the data per the contract.

Re:The contract... (2)

jtownatpunk.net (245670) | more than 2 years ago | (#38151618)

Pretty much. Next time read the friggin' contract, subby. If you don't adhere to the terms of the contract and the government finds out, this could well be your company's last government contract. If you're lucky.

Why would they agree? (4, Insightful)

sirwired (27582) | more than 2 years ago | (#38151462)

Your old contract requires the destruction of the equipment. Your new contract failed to price in its replacement. Why is this the agency's problem? If I were the client, I'm not going to go out of my way to evaluate your data destruction ideas and instead would simply request you perform the contract as agreed.

Make sure your negotiators don't foul this up for future contracts.

Re:Why would they agree? (4, Insightful)

tlhIngan (30335) | more than 2 years ago | (#38151780)

Exactly. They'll want certificates proving the drives were destroyed per the contract.

Part of your contract bottom line includes the cost of replacing those drives. If your company bid too low and won't make a profit, that's really a shame, but that's something you'll have to take up with the salesperson who wrote the proposal.

Also, realize that hard drives are only expensive *NOW*. Remember what happened in Japan that was supposed to kill the electronics market until the end of the year? In 6 month's time, the prices of hard drives will come back down. Unless your contract is only a month long, the destruction probably won't happen until then, which is probably a year or more down the road (unless it gets renewed again). In the mean time, you only destroy hard drives of PCs that are being decomissioned, so they've already been replaced and no issue at all.

Also - why are you trying to find ways around it? It's in the contract and you wouldn't have gotten it if you didn't agree to the requirement. Is it really to save the company a few bucks? Or is it the inner geek who can't see the sight of tossing a 500GB drive away?

Re:Why would they agree? (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38151846)

I think you're looking at it the wrong way.

If the original contract requires the destruction of equipment, then the original contract price covers that. Not destroying the hard drives means you should give some money back to the government since you're not completing the work you were paid for.

If they allow old equipment to be used for the new contract there should be a discount on the new contract to account for this.

Why? (1)

shemyazaz (1494359) | more than 2 years ago | (#38151468)

Whats with the draconian data policies cropping up everywhere now? Even the company I work for is requiring HD destruction as opposed to just a decent low level formatting. Is there at least a good reason in this case?

Re:Why? (2)

devilspgd (652955) | more than 2 years ago | (#38151594)

Whats with the draconian data policies cropping up everywhere now?

Time after time after time people report finding sensitive data on used or off-lease systems. Replacing drives is trivial vs the risk of a breach (and also trivial vs the cost of most contracts that have such requirements)

Encryption solves the problem, if implemented and used correctly all of the time, and if no keys were lost or compromised (with or without anyone's knowledge)

Destroyed drives tell no tails.

Even the company I work for is requiring HD destruction as opposed to just a decent low level formatting.

Given that you can't actually low-level format modern drives out of the factory, I'm not sure what you're suggesting here.

Become an 'appropriately recognized facility' (0)

Anonymous Coward | more than 2 years ago | (#38151472)

What are the requirements for that?

Re:Become an 'appropriately recognized facility' (0)

Anonymous Coward | more than 2 years ago | (#38151562)

What are the requirements for that?

At least one senator as a major shareholder.

Buy new hard drives (0)

Anonymous Coward | more than 2 years ago | (#38151478)

Seriously? You want to save the $100 - $200 for a new hard drive (Plus $50 Labor to ghost the drive). That's nothing when dealing with DOD contracts.

Re:Buy new hard drives (1)

meloneg (101248) | more than 2 years ago | (#38151546)

Um, ghosting these drives then reporting them destroyed might just be punishable as treason.

Re:Buy new hard drives (1)

qw(name) (718245) | more than 2 years ago | (#38151654)

Close. Federal criminal charges can be brought against someone intentionally doing this.

Uh, your contract was renewed, so... (1)

Crudely_Indecent (739699) | more than 2 years ago | (#38151482)

Why are you destroying the disks? Do you not need any of that data?

Why not request an addendum to the contract that postpones the destruction until a time when the contract is not renewed, or the disks fail (whichever comes first)?

As suggested by others, DBAN is good, or my preferred method is:
write garbage

dd if=/dev/urandom of=/dev/disk

then write zeros

dd if=/dev/zero of=/dev/disk

Proof (1)

egcagrac0 (1410377) | more than 2 years ago | (#38151486)

The problem isn't destroying the data. The problem is demonstrating that you've destroyed the data. If you hand over all the media that the data is on for shredding, and it gets cataloged and then shredded, any bean counter can look and say "see? here's the certificate that says it was destroyed." If you erase it and promise "I erased it! I swear! Honest!", there's not much to look at when they do their audit.

Re:Proof (2)

qw(name) (718245) | more than 2 years ago | (#38151578)

...and when they don't find the proof of destruction, your company loses the contract, you get fired for not following process resulting loss of contract or the company folds due to loss of revenue because of the loss of the contract.

Re:Proof (1)

egcagrac0 (1410377) | more than 2 years ago | (#38151604)

Exactly. (I'm suggesting that they destroy the media per contract, not try to find some cute way around it to save a dollar.)

If the contract in future can be negotiated to have the drives wiped instead of shredded, blessings.

Re:Proof (1)

mlts (1038732) | more than 2 years ago | (#38151790)

That is why you do a two tier destruction process in these situations:

Tier 1 consists of a software erase, a physical degaussing and damaging the drive physically (but still keeping it in one piece). This can be accomplished either by drilling holes in the platters, or having a hydraulic ram bend the drive.

Tier 2 consists of handing the stack of bent drives to Iron Mountain or the shredding place who has the shredder online, who will hand back a certificate of destruction.

This way, the auditors are happy because there is a piece of paper showing the drives were destroyed, and one can be sure in-house that the drives were really trashed by doing some process that shatters the drive platters, but keeps the drive in one piece.

Not worth fighting the bureacracy on this one (2)

davidwr (791652) | more than 2 years ago | (#38151488)

1) When it comes to classified data, physical destruction is typically required
2) When it's a "new contract" the only way around the requirement is to amend the contract. Much easier said than done.

Your company likely doesn't have the political pull to amend the contract and/or it will be more expensive to do so than to buy new drives.

But if you CAN change the contract, then just change it to allow DoD-wiping or similar.

I think there may be a political reason to require destroying the drives and buying new ones: It makes sure that both the incumbent company (you) and any other bidders are on "a level playing field" - that is, you won't be able to reduce your bid by the cost of the drives.

There is also a technical benefit: You are going to start with brand new drives, reducing the odds of drive failures mid-project.

I would recommend your company modify FUTURE contract negotiations to specifically allow for re-using media if the contract is extended or replaced with a contract that is doing substantially the same work AND substantially the same group of employees/subcontractors have physical access to the computers or servers.

Erm? (0)

Anonymous Coward | more than 2 years ago | (#38151492)

Sure dban makes data unrecoverable, but the statement 'they must be sent to an appropriately recognized facility for destruction' doesn't seem very ambiguous to me.

Options (1)

Synerg1y (2169962) | more than 2 years ago | (#38151504)

1. DBAN / similar bootable cds
2. Linux Live Cd -- my fav also the most complex if you don't know unix command line I guess
3. Plug in as any non primary disk and run windows DOD based wipe software (google) on it. -- to speed things up consider getting a pci-e sata adapter so u can do many at once, the adapter is prolly cheaper than w/e they pay you.

I think the government standard is DOD, anything over is time consuming and overkill.

In your report you may want to include why DOD will work and why it's not recoverable, I'll leave that research to your already suspiciously lazy ass.

Encryption accomplishes the same thing, but you'd have to encrypt 3 times and show how the encryption is altering the disk's physical characteristics to make it unrecoverable.

Also I'm not sure where your coming from on disk space is expensive, it's at the cheapest it's ever been, and will only get cheaper till something replaces SSD and then that will be expensive and the rest of the hd's will get EVEN CHEAPER.

Depending on what you have on your harddrives the gov may accept DOD or it may only accept a physical shredder.

I'd challenge you on how are you going to show to the gov that you actually performed the DOD wipes?

Tbh, sounds like you don't know wtf your doing, I'd recommend bringing in a consultant to show you the light, this is very basic admin stuff and I don't have anything to do with the gov, just a lot of ppl's personal data in my position.

*sigh* (1)

qw(name) (718245) | more than 2 years ago | (#38151518)

Don't try to find ways to cut costs or save money by skirting around your contractual obligations. You contract says to destroy the hard drives. You MUST destroy them. You WILL lose your contract if you do not.

If you have a Security department, take you concern to them or your Contracts Manager for this contract. They will tell you the same thing...especially if it's a classified program.

So you didn't... (0)

Anonymous Coward | more than 2 years ago | (#38151520)

So you didn't read the contract and properly estimate costs before agreeing to said contract? Yup, definitely a government contractor.

Erasing a drive does NOT always erase the drive (1)

davidwr (791652) | more than 2 years ago | (#38151548)

Erasing the drive using standard tools like DBAN will NOT erase sectors that the firmware mapped out as bad over the life of the drive.

The government wants any classified information that was ever written to these sectors destroyed as well.

This is why the drives must *eventually* be destroyed rather than land-filled or surplussed.

You can still make a good case that re-using the drive on what amounts to a continuation of the old contract will save money and harm nobody. But as I said before, it's not worth fighting the bureaucracy on this one. Drives were cheap before the flooding in the Far East, and they will be cheap again soon enough.

Disk wipe/destruction (0)

Anonymous Coward | more than 2 years ago | (#38151550)

You have two choices to clear data from government disks. The easiest is degaussing the drive and then destroying it using approved devices. The second is wiping it a certain number of times using approved software. The government has at least one government owned zero cost software package that is approved for the wipe process. A google search for "DoD 5220.22-M Disk Erasure Standards" will get your research started.

Re:Disk wipe/destruction (1)

mlts (1038732) | more than 2 years ago | (#38151812)

Just note that (IIRC) those standards are for non-classified data.

Classified+ require physical destruction/demilling of the drives. Some company failing to follow these stipulations when it comes to classified/S/TS/SCI data is going to lose their contract at best, or someone may face prison time at the worst.

Don't go looking for a problem for your solution (1)

klubar (591384) | more than 2 years ago | (#38151554)

Replacing the drives might not be a bad idea.

If the drives are a couple of years old, you might be better off destroying the drives and buying new ones. The cost of certified drive destruction is pretty cheap, new drives can be had for not much ($60 to 200 depending on whether desktop or workstation).

The lifespan of drives isn't infinite so this would be a good opportunity to replace the 3 or 4 or 5 year old drives with new ones. The incremental labor of removing the drive, putting it in the send out for secure destroy box and replacing it with a brand new one will not be much more than spending an hour or two wiping the drive. Either way you have to re-image the device.

And the time savings of not having an old production drive go will be huge.

Radia Perlman's Ephemerizer (2)

Saint Aardvark (159009) | more than 2 years ago | (#38151564)

I think that what you want is The Ephemerizer, by Radia Perlman (she of OSPF fame). I heard about this a few years ago at the LISA conference, and a bit of digging turned it up. From the abstract [mendeley.com]:

This paper is about how to keep data for a finite time, and then make it unrecoverable after that. It is difficult to ensure that data is completely destroyed. To be available before expiration it is desirable to create backup copies. Then absolute deletion becomes difficult, because even after explicitly deleting it, copies might remain on backup media, or in swap space, or be forensically recoverable. The obvious solution is to store the data encrypted, and then delete the key after expiration.

Google turns up this copy in PDF [filibeto.org].

Hope that helps!

Endless loop (1)

lucm (889690) | more than 2 years ago | (#38151568)

> I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed

How do you destroy the key? You encrypt it and destroy the second key that you used to encrypt the first one? That's convenient, now you just have to repeat the process in a recursive manner and it should be completed in NaN years.

Re:Endless loop (2)

gweihir (88907) | more than 2 years ago | (#38151702)

Simple: Key on usb-key, destroy that. Or use passphrases that unlock the key and destroy the master-key. For example, LUKS is implemented that way with explicit anti-forensic splitting of the master-key, i.e. if you successfully wipe just a few bytes of the master key blown up to about 100kB, you are quite secure.

Business Solution - Not Tech Solution (1)

mlheur (212082) | more than 2 years ago | (#38151570)

The business solution is the have the original contract revised to not force you to destroy something you want to keep. You get the next contract, get them to keep the parts to save time, money, efforts, energy. If it works then your employer will see you as a multi-faceted resource with solutions from more than one discipline. If nobody agrees then stop working for someone who makes stupid decisions.

That's how I operate and I've never been fired, been promoted 4-5 times though.

Re:Business Solution - Not Tech Solution (0)

Anonymous Coward | more than 2 years ago | (#38151630)

That's how I operate and I've never been fired, been promoted 4-5 times though.

Being promoted to Drive-Thru Manager doesn't count...

Re:Business Solution - Not Tech Solution (1)

PhilHibbs (4537) | more than 2 years ago | (#38151830)

The contract was probably written that way so that the incumbent could not undercut the competition by avoiding the costs involved in destruction and replacement. That would leave no option but to swallow that cost and do as the nice government says.

Don't ditch that drive. (1)

MYakus (1625537) | more than 2 years ago | (#38151590)

If it's the same project, you can the the project office to waive the requirement in the prior contract.

Romance (2)

Rinisari (521266) | more than 2 years ago | (#38151608)

I came here expecting an eye-opening discussion regarding some some emerging theory of systems administration regarding "data romance".

Son, I am disappointed.

Encryption (1)

Murdoch5 (1563847) | more than 2 years ago | (#38151624)

I would shy away from the encryption method. The drives will be very hard to decrypt but not impossible so it's possible for someone to break the key and get the information off. Even if you use a one time pad there is still a chance of someone breaking it.

The best way to handle this is to magnetically scramble the drive using high powered magnetic fields and then continuously low level format them at least 10 times. This will render the information completely erased. At that point there is as close to a 0% chance of data retrieval as possible.

Security != contract conformant (1)

gweihir (88907) | more than 2 years ago | (#38151652)

As to secure destruction, encryption is quite fine, if it is modern encryption done right. (I have seen some commercial things that were just stupid....) Overwriting, as some here suggested unfortunately does not do the job, because of defect management. For sectors still in use, it is likely just as secure as encryption, but it does exactly noting for reallocated blocks. (Even more so for SSDs and flash-drives).

For Windows, TrueCrypt is a good solution. For Linux LUKS with defaults or AES in XTS mode.

But the problem is the contract. If it stipulates physical destruction, then you have to do that. There will likely be no legal way out of that.

Re:Security != contract conformant (2)

PhilHibbs (4537) | more than 2 years ago | (#38151872)

Er... if overwriting is not sufficient due to defective sectors, then how does encrypting the data deal with those defective sectors? And how does writing an encrypted version to a SSD do a better job than writing random data to a SSD? It's worse, because you can write data to the entire SSD whereas encrypting will only write as much as you encrypt, leaving some blocks unwritten.

Re:Security != contract conformant (0)

Anonymous Coward | more than 2 years ago | (#38151984)

The encryption must be done before that data is written (the data is written encrypted), thus when a block goes bad and is reallocated to a spare block, the data left behind is unreadable. Overwriting the data will smudge out all the allocated blocks pretty well, but anything written to a deallocated (bad) block, will not be overwritten.

If he already has data that needs to be destroyed, then it is too late to work out the encryption option on that drive.

This is a process issue not a technical issue. (2)

Alex (342) | more than 2 years ago | (#38151672)

There are a number of good posts on here, and a lot of people saying "use DBAN".

99.99% of the problem space here is the process that proves the drive was wiped and the processes supporting that, 0.01% is doing the wiping.

Encryption won't destroy the data (1)

chrismcb (983081) | more than 2 years ago | (#38151688)

Encryption won't destroy the data. You are assuming that it is impossible to decrypt the data. As computers get faster and faster you will have a hard time trying to prove someone it can't be decrypted.

contract negotiation (2)

brian1078 (230523) | more than 2 years ago | (#38151698)

What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high.

It should have been part of the contract negotiations that the cost of the HDDs is paid for by the government. If it wasn't your company should still have padded their fee to include this cost. If it wasn't, someone should be fired. You can then destroy the drives as required by the contract and use the salary savings to pay for new drives.

This is a lot larger than your one customer (1)

ThinkDifferently (853608) | more than 2 years ago | (#38151700)

I have contracted with many government agencies over 16 years. This issue is a lot larger than your one customer. When the government mandates that drives containing sensitive material be destroyed, they mean it, and will not back down, no matter how logical your alternative. The security gurus, if you can call them that, take the approach, better safe than sorry. Rather than doing an expensive study to determine if data truly is gone when you write it over dozens of times with random data, it's just easier to mandate to smash the hard drive with a 10 pound sledge dozens of times. That said, if the hard drives aren't changing hands, it seems silly to me that they'd mandate you destroy all of the old drives and start the same project over again with all new ones...unless I'm missing something. As long as the drives stay at the same classification from the same agency, usually they don't have to go anywhere. However, if the data from the old project must go away, and the new project is unrelated, I might see why they want the old data destroyed. In my experience, though, if equipment never leaves the room, and the room never changes classification, it usually stays. Remember, it's a "better safe than sorry" situation with the government. They won't listen to an alternative, because it's a government-wide security mandate, and they never deviate from those. Given a choice between listening to your security officer and listening to your intellect, listen to your security officer every time. You'll keep your job and your security clearance.

Re:This is a lot larger than your one customer (1)

Urban Garlic (447282) | more than 2 years ago | (#38151806)

Seconding this. The goal of the process is 100% certainty that the data does not become available to anyone ever again. The fact that one of the reasons you want an alternative is because it's expensive to buy new drives is a gigantic strike against you -- you've basically admitted that you want to re-use the drives. Nobody in the government is going to approve a plan that involves the re-use of drives that have had sensitive information on them. And, of course, any plan that doesn't involve drive re-use *should* include drive destruction, as a strategy to ensure re-use does not occur.

This is basically the same mentality that mandates air-gapping critical control systems to isolate them from the network. It's true that there are more convenient and less drastic schemes which, if operated correctly, provide the same protection. But if the goal is 100% certainty, then "if operated correctly" is too big of an "if".

Time to get contracting involved (1)

Registered Coward v2 (447531) | more than 2 years ago | (#38151750)

The only person that can resolve this for you is the government contracting officer. They will have to review the requirements and decide what is an acceptable solution. You can offer up solutions, including keeping the drives in place since the equipment is staying there anyway, but they must make the call.

There hands may be tied by regulations that require physical destruction; in which case you have no choice. They may be able to approve keeping the drives. In the end, they will do whatever keeps them out of trouble; which often is to simply enforce the existing contract requirements. In that case, find a place that meets the destruction requirements. They may want to avoid that but if gov't contracting requirements require it they will do it.

It may sound ridiculous, but whatever you spend on new drives is a lot cheaper in the long run than making life difficult for the contracting officer.

near-guaranteed employment? (1)

ThinkDifferently (853608) | more than 2 years ago | (#38151768)

giving me several more years of near-guaranteed employment!

Correct me if I'm wrong, government contracting experts, but a little known factoid is that the government can just terminate any contract it wants to at any time, if it can be shown it's in the best interests of the government. Contractors, OTOH, may not.

DBAN or Ghost (1)

Halster (34667) | more than 2 years ago | (#38151782)

So people have already said use DBAN. So I'll point out Symantec Ghost also wipes drives drives using the GDisk utility. Both Ghost and DBAN can wipe a drive with a DoD standard 5220.22-M wipe. Surely if it's good enough for national defense...

L8r

Incinerate = Destroyed (1)

Chiminea (696521) | more than 2 years ago | (#38151818)

At my Agency we use DBAN if we are going to re-use the drive. Otherwise if the drive is failed and has data on it or if it is just no longer serviceable (ye olde SCSI anyone) it goes into a burn box and IT Security takes it to a secure incineration facility. Encrypting the data and then losing the keys does not destroy the data. It just makes it unavailable to you at this moment. Next year that impossible to crack encryption might not be so far out of reach. If the contract is written that the drives get destroyed then replacing them is the cost of doing business. It is admirable to try and save money but I would rather be sure... This is the classic case of "don't leave them for dead, leave them dead".

Sounds Like A Contract Mod (1)

cmholm (69081) | more than 2 years ago | (#38151850)

If you've got stiff data remanence requirements in your existing contract, it sounds like you'll need to ask for a contract modification. Not knowing exactly what sort of data you're working with, I'll just say it sounds like the customer really wanted to make sure their data didn't end up on eBay by accident.

The time to have provided for an non-destructive alternative would have been when the original contract was being negotiated. That said, ask your PM to ask the customer contracts officer about it. Keep in mind that no matter how good your electronic data wiping method, nothing beats sending the platters to the hammer mill. Your new contract probably budgets for new discs, so unless you and the customer are going to realize significant savings from reuse, I wouldn't go to the mattresses over it.

In this case the government has more sense (0)

Anonymous Coward | more than 2 years ago | (#38151958)

Normally, I have little respect for what government does because of how it gives people the wrong incentives, but in this case the government contact has been written by experienced people. This is a perfect example of a relative neophyte believing he knows better than old hands simply because he's relatively ignorant (I didn't say stupid). Hey, we've all been there.

Others have likely said this, but obviously anyone with any experience thinking about security knows what is hard to decrypt today may be child's play tomorrow (or child's play for certain foreign government institutions). Do what the people who know what they are talking about told you to do in the contract -- have the disks physically destroyed just as the contract stipulates.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...