How many overwrites for secure erase?

On another list, someone asked a question which piqued my
curiosity.

U.S. DoD requires 7 overwrites. The OP wanted a '*technical*
justification of "15-times" or any other number. Technical one,
not "because mama said so".'

Has anyone actually recovered data that's been overwritten
even once by random data? Twice?

We know about the theoretical techniques to get the data. We
know it would be horrendously expensive. But has anyone
*actually* done it?

And, regardless, is there some number of overwrites that
*will* make the data unrecoverable? The OP was looking for
something better than pulling a number out of the air (or
wherever) - a number with some theoretical or experimental
justification.

I figured if anyone had the answers (and was allowed to give
them), it would likely be someone in this group.

--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a z/OS (IBM mainframe) systems programmer position

Arthur T. wrote:


> And, regardless, is there some number of overwrites that
> *will* make the data unrecoverable?


Current harddrives are within about 5 to 10 % of the Shannon limit, thus one
overwrite should suffice.

From: "Arthur T." <arthur@munged.invalid>

| On another list, someone asked a question which piqued my
| curiosity.
|
| U.S. DoD requires 7 overwrites. The OP wanted a '*technical*
| justification of "15-times" or any other number. Technical one,
| not "because mama said so".'
|
| Has anyone actually recovered data that's been overwritten
| even once by random data? Twice?
|
| We know about the theoretical techniques to get the data. We
| know it would be horrendously expensive. But has anyone
| *actually* done it?
|
| And, regardless, is there some number of overwrites that
| *will* make the data unrecoverable? The OP was looking for
| something better than pulling a number out of the air (or
| wherever) - a number with some theoretical or experimental
| justification.
|
| I figured if anyone had the answers (and was allowed to give
| them), it would likely be someone in this group.
|

The DoD requirements are...

Write a bit pattern such as; 10101010
Write its complement; 01010101
Write another pattern such as; 11110000

Perform that six times.

The disk will then be sanitized.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Arthur T. <arthur@munged.invalid> writes:

> On another list, someone asked a question which piqued my
>curiosity.

> U.S. DoD requires 7 overwrites. The OP wanted a '*technical*
>justification of "15-times" or any other number. Technical one,
>not "because mama said so".'

> Has anyone actually recovered data that's been overwritten
>even once by random data? Twice?

The claim is that in the past, hard drives would tend to keep traces of the
data. But now, because the manufacturer's are trying to squeeze the last
ounce of data out of drives, any such residual memory would be a source of
extra storage, so that modern disks have essentially zero redundancy and
those old techniques do not work. Ie, overwriting once is enough.

Note if the data is really that sensitive, overwrite and then destroy the
disk by a really hot fire


> We know about the theoretical techniques to get the data. We
>know it would be horrendously expensive. But has anyone
>*actually* done it?

The current claim is that it is not actually doable on modern disks.


> And, regardless, is there some number of overwrites that
>*will* make the data unrecoverable? The OP was looking for
>something better than pulling a number out of the air (or
>wherever) - a number with some theoretical or experimental
>justification.

Destroy the disk by fire. Really hot fire.
If the data is that secret, the cost of a disk is trivial.


> I figured if anyone had the answers (and was allowed to give
>them), it would likely be someone in this group.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

>From: "Arthur T." <arthur@munged.invalid>

>| On another list, someone asked a question which piqued my
>| curiosity.
>|
>| U.S. DoD requires 7 overwrites. The OP wanted a '*technical*
>| justification of "15-times" or any other number. Technical one,
>| not "because mama said so".'
>|
>| Has anyone actually recovered data that's been overwritten
>| even once by random data? Twice?
>|
>| We know about the theoretical techniques to get the data. We
>| know it would be horrendously expensive. But has anyone
>| *actually* done it?
>|
>| And, regardless, is there some number of overwrites that
>| *will* make the data unrecoverable? The OP was looking for
>| something better than pulling a number out of the air (or
>| wherever) - a number with some theoretical or experimental
>| justification.
>|
>| I figured if anyone had the answers (and was allowed to give
>| them), it would likely be someone in this group.
>|

>The DoD requirements are...

>Write a bit pattern such as; 10101010
>Write its complement; 01010101
>Write another pattern such as; 11110000

>Perform that six times.

>The disk will then be sanitized.

The dod is a bureacracy. Although the recmmendation probably made sense
once, once they had been promulgated they will never again change no matter
how the technology changes. To relax them puts someone's ass on the line.
What if he aralaxes them and suddenly some data leaks. Thus they are frozen
in time even if they make no sense whatsoever.
I would not take their recommendation as indicating anything whtsoever
about what the current best proctice is. While doing what they say may not
harm except that the wipe taks 2 days rather than 20min.-- which means
noone does it.

>--
>Dave
>http://www.claymania.com/removal-trojan-adware.html
>Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Unruh wrote:


> The claim is that in the past, hard drives would tend to keep traces of the
> data. But now, because the manufacturer's are trying to squeeze the last
> ounce of data out of drives, any such residual memory would be a source of
> extra storage,


This is a bogus argument. Knowing that you could increase the data density
doesn't make it any more feasible if its computationally and technically
expensive.

> so that modern disks have essentially zero redundancy and
> those old techniques do not work. Ie, overwriting once is enough.


Well, at least the corollary holds.

With increased read speeds, the signals got so badly deluded that they're
essentially pure sinus waves. Matching with triggers became impossible, so
currently its done by comparing the signal against a large list (256 or
more) of signals in parallel and integrating over the absolute difference,
just to get the best match.
Since such a technique doesn't allow for any specialized signal codes, they
were free to resort to the very expensive, generic Turbo(-like) codes. And
since they had to use these anyway, they could also use their generism and
efficiency to increase data density to close to the Shannon limit.


> Note if the data is really that sensitive, overwrite and then destroy the
> disk by a really hot fire


Nonsense. The burnt material could shield small pieces of the disc from the
heat for a very long time.

Either you have a really really long fire (hours till days) of constant high
heat, or you may simply resort to degaussing or acid.

> The current claim is that it is not actually doable on modern disks.


It is, just the results are not significantly better than educated guessing.

From: "Unruh" <unruh-spam@physics.ubc.ca>


|
| The dod is a bureacracy. Although the recmmendation probably made sense
| once, once they had been promulgated they will never again change no matter
| how the technology changes. To relax them puts someone's ass on the line.
| What if he aralaxes them and suddenly some data leaks. Thus they are frozen
| in time even if they make no sense whatsoever.
| I would not take their recommendation as indicating anything whtsoever
| about what the current best proctice is. While doing what they say may not
| harm except that the wipe taks 2 days rather than 20min.-- which means
| noone does it.
|

The standard has changed. What I posted was the NEW standard.

Don't say "..noone does it.". I see disk sanitization done all the time.

This isn't something for just Defense organizations. Sanitization should be done by *any*
company that has company proprietary information stored on their respective hard disks.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Arthur T. <arthur@munged.invalid> writes:
> On another list, someone asked a question which piqued my
> curiosity.
>
> U.S. DoD requires 7 overwrites. The OP wanted a '*technical*
> justification of "15-times" or any other number. Technical one,
> not "because mama said so".'

post in another thread
http://www.garlic.com/~lynn/2008c.html#47 Data Erasure Products
http://www.garlic.com/~lynn/2008c.html#48 Data Erasure Products

the above hast reference to NIST standard for overwriting and GAO
finding that it was adequate ... and then some vendor study finding out
that they could still recover data (at least in the case of used
magnetic tape that the gov. was selling ... after overwrites).

as to disk, some really old email about disk track spacing being reduced
from 20widths to 10widths (doubling number of tracks ... later to
2widths).
http://www.garlic.com/~lynn/2006s.html#email871122
in this post
http://www.garlic.com/~lynn/2006s.html#30 Why magnetic drums was/are worse than disks ?

above also references early work on vertical/perpendicular recording
.... which more recently is showing up in commodity products
http://www.garlic.com/~lynn/2007o.html#64 Toshiba Boosts Hard Drive Density by 50%

this old email doing a different kind of head design (working with the
person that originated risc chip architecture)
http://www.garlic.com/~lynn/2006s.html#email871230

part of the issue use to be small head jitter ... head write surface
would be wider than head read surface ... to reasonable assure that most
recent write path would cover the area that subsequent reading head
would travel. by implication a subsequent write operation might not
exactly overlap a previous write operation (residual signal from
previous writes offset to one side or another).

quicky search engine turns up reference to current issues with
signal noise from closenest of adjacent tracks

this reference could imply possibly looking at noise from previous
writes:
http://www.lecroy.com/tm/solutions/d...NA/default.asp

Arthur T. <arthur@munged.invalid> wrote in
news:0sfvr3ttpfq4ufbd3r9bvre9kgpnnmjvq6@4ax.com:

> On another list, someone asked a question which piqued my
> curiosity.
>
> U.S. DoD requires 7 overwrites. The OP wanted a '*technical*
> justification of "15-times" or any other number. Technical one,
> not "because mama said so".'
>
> Has anyone actually recovered data that's been overwritten
> even once by random data? Twice?

In ye olde days you had "blobby bits" and wobbly heads. You don't have
that anymore.

There isn't, AFAIK, anyone offering to recover data from a disc that's
been over-written even once with all 0's. (Which would be eaiser than
recovering from an over write of pseudo random data.)

>a number with some theoretical or experimental
> justification.

Here are two theories:

1) The theory is that you don't know what tech your attacker has, and you
don't know what tech your attacker will invent in the future, and so you
over-write many times with patterns and random data, then take the
platters out and physically destroy them.

2) You have sensitive information (patient medical stuff, for example)
and it's just easier to do the belt-and-braces destroy thing than a
sensible destroy, if only to keep the wing-nuts out of your hair. You've
removed any doubt.

People might prefer to do cost-benefit risk analyses - it takes time (and
thus money) to overwrite disks.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:9YWvj.397$xg6.104@trnddc07:

> From: "Unruh" <unruh-spam@physics.ubc.ca>
>
>
>|
>| The dod is a bureacracy. Although the recmmendation probably made
>| sense once, once they had been promulgated they will never again
>| change no matter how the technology changes. To relax them puts
>| someone's ass on the line. What if he aralaxes them and suddenly some
>| data leaks. Thus they are frozen in time even if they make no sense
>| whatsoever. I would not take their recommendation as indicating
>| anything whtsoever about what the current best proctice is. While
>| doing what they say may not harm except that the wipe taks 2 days
>| rather than 20min.-- which means noone does it.
>|
>
> The standard has changed. What I posted was the NEW standard.
>
> Don't say "..noone does it.". I see disk sanitization done all the
> time.
>
> This isn't something for just Defense organizations. Sanitization
> should be done by *any* company that has company proprietary
> information stored on their respective hard disks.


Sanitizing may be acceptable (I hae me douts) for a drive that is moving
within an organization (but even then only from and to low security
uses/users). For any HD leaving the company, the HD should be
*destroyed.* Many companies that do paper shredding also have a division
that will mangle HDs (and CDs, etc.) into tiny bits - often with a logged
secure custody chain, witnessing, etc.

Wiping is slow (especially for modern very big drives), and there are
many risks that it will be overlooked or will be done incompletely (e.g.,
all too easy for one in the "to be wiped" pile accidentally being moved
to the "wiped" pile without having been wiped).

HDs are cheap, liabilities are large - too cheap and too large to take
risks with for data leaking outside the company. Destroy 'em!

Regards,

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:9YWvj.397$xg6.104@trnddc07:

[snip]

> Don't say "..noone does it.". I see disk sanitization done all the
> time.

I see lots of people who don't really know what they're doing, and don't
have particularly sensitive info, "over sanitizing" their disks.

> This isn't something for just Defense organizations. Sanitization
> should be done by *any* company that has company proprietary
> information stored on their respective hard disks.

I'd hope everyone agrees on that bit! What's up for debate is how much
overwriting is actually needed.

"Sebastian G." <seppi@seppig.de> wrote in
news:62as0jF21pbucU1@mid.dfncis.de:

[snip]

> Either you have a really really long fire (hours till days) of
> constant high heat, or you may simply resort to degaussing or acid.

Obviously: Degaussing the platters, not the whole drive. Which I've seen
people recommend as a way of disk erasing.

In Message-ID:<gAUvj.51673$C61.25538@edtnps89>,
Unruh <unruh-spam@physics.ubc.ca> wrote:

>modern disks have essentially zero redundancy and
>those old techniques do not work. Ie, overwriting once is enough.
>
>Note if the data is really that sensitive, overwrite and then destroy the
>disk by a really hot fire

Paraphrased: It's impossible to retrieve the data if it's
overwritten even once, but if you don't want people to be able to
retrieve the data, destroy the disk.

Actually, this is the kind of advice the OP was already
getting. His question, though, (again, paraphrased) is whether
there are technical reasons published to show that two wipes are
(or are not) better than one. And, if one wipe isn't enough, are
there technical reasons to show that N is enough (for some N).

I have seen published two methods of attack:

1. Incomplete magnetization. This is a possible reason to
require multiple passes with specific kinds of bit patterns. But,
is there really enough residual data to be read after a wipe with
a pattern and its complement?

2. Incomplete coverage. This is the reason for multiple passes
regardless of the bit patterns. However, by its nature, there's a
statistical chance that an area written by the real data will be
missed by every subsequent pass (especially if the disk was jarred
after writing the real data). This, of course, ignores the
likelihood that a well-used disk will already have most sectors
written to several times, so the "real" data is already obscured
by older data (which is obscured by the "real" data).

An anti-paranoia note (therefore, possibly not appropriate
for this newsgroup) on a related topic: A few years back they
made another attempt to read the 18-minute gap in the Nixon tape
using the latest and greatest technology. They failed.

--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a z/OS (IBM mainframe) systems programmer position

In Message-ID:<Xns9A4DA577A884FYAsfKJXSTO@194.117.143.37>,
bealoid <signup@bealoid.co.uk> wrote:

>1) The theory is that you don't know what tech your attacker has, and you
>don't know what tech your attacker will invent in the future, and so you
>over-write many times with patterns and random data, then take the
>platters out and physically destroy them.

Pointing out the possibilities of future tech (and the
near-impossibility of ruling out what future tech might be) puts
overwriting into a different perspective. Thank you.

>2) You have sensitive information (patient medical stuff, for example)
>and it's just easier to do the belt-and-braces destroy thing than a
>sensible destroy, if only to keep the wing-nuts out of your hair. You've
>removed any doubt.

CYA is a very good reason, but not a technical one ;-).

>People might prefer to do cost-benefit risk analyses - it takes time (and
>thus money) to overwrite disks.

And, it takes even more time and money to do the analysis of
how much overwriting is necessary. Thus, we're likelier to get
"guidelines" than reasoned, technical answers.

So, even if today N overwrites makes a disk unreadable,
tomorrow someone might find a way to read it. (And, of course,
even N overwrites might be readable by a closed-mouthed government
agency.)

Short of a theoretical proof (which unlikely to have much to
do with real-world technology), N can be argued but might never be
enough for absolute security.

I think this explains the lack of reasons for the guidelines
currently available.

Thanks to all who responded to this thread. I responded to
this post because that's when the answers sunk in, but all of the
responses were helpful in bringing me to the state where I could
understand the gestalt.

--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a z/OS (IBM mainframe) systems programmer position

On Sat, 23 Feb 2008, in the Usenet newsgroup alt.computer.security, in article
<MNWvj.36872$FO1.1883@edtnps82>, Unruh wrote:

>"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

>>The DoD requirements are...
>
>>Write a bit pattern such as; 10101010
>>Write its complement; 01010101
>>Write another pattern such as; 11110000
>>Perform that six times.
>
>>The disk will then be sanitized.

>The dod is a bureacracy. Although the recmmendation probably made sense

Obviously, you are not a DOD contractor. The wiping process is NOT a
recommendation, it is an absolute REQUIREMENT. They tell you to do it,
and you do - no quibbling, no bullshit.

>once, once they had been promulgated they will never again change no
>matter how the technology changes. To relax them puts someone's ass on
>the line.

Fine - YOU negotiate the contract to do otherwise. Otherwise, you are
in violation of the contract, and bad things will happen.

>What if he aralaxes them and suddenly some data leaks. Thus they are
>frozen in time even if they make no sense whatsoever.

Please stop imagining things. Read the requirements - they're public
knowledge, and note FURTHER that these are not the most stringent of
data destruction.

>I would not take their recommendation as indicating anything whtsoever
>about what the current best proctice is. While doing what they say may
>not harm except that the wipe taks 2 days rather than 20min.

So what? Their REQUIREMENT is a REQUIREMENT, not a recommendation, not
a suggestion. You do it WITH WITNESSES or YOU suffer the consequences.
Or, do you feel that contract law doesn't apply to you?

>which means noone does it.

BULL SHIT! Free clue:

Web Results 1 - 10 of about 26,300 for computer+data destruction
Vancouver+BC. (0.21 seconds)

and that's just Vancouver, BC. The yellow pages here in Phoenix list
nine companies who will do data destruction and claim to have various
certifications to do so. We use two of them.

Old guy

From: "Moe Trin" <ibuprofin@painkiller.example.tld>

< snip >

|
| and that's just Vancouver, BC. The yellow pages here in Phoenix list
| nine companies who will do data destruction and claim to have various
| certifications to do so. We use two of them.
|
| Old guy

Any DoD Contractor can have the NSA CMC destroy the disks and receive a receipt indicating
their destruction. :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On Sat, 23 Feb 2008, in the Usenet newsgroup alt.computer.security, in article
<v4n0s3dhcn9bc8gp2vvsgksgashuffsd2o@4ax.com>, Arthur T. wrote:

>bealoid <signup@bealoid.co.uk> wrote:

>>People might prefer to do cost-benefit risk analyses - it takes time
>>(and thus money) to overwrite disks.
>
> And, it takes even more time and money to do the analysis of
>how much overwriting is necessary. Thus, we're likelier to get
>"guidelines" than reasoned, technical answers.

If you are not a DOD contractor, then you have to make a reasoned
guess of what you are trying to protect against. (If you are a
DOD contractor, then you just do _exactly_ what the contract says
you are to do - no more, no less.) Are you worried about your
competitor finding a used hard drive that has the secret ingredients
of your Whizzo Cola(tm)? Are you worried about the cops finding a
list of your customers for that fantastic Reindeer Dust? Or it this
the theory of how to make gasoline from sea water at a cost of $0.51
a barrel, using a solar powered boiler made from used tin-cans?

> So, even if today N overwrites makes a disk unreadable,
>tomorrow someone might find a way to read it. (And, of course,
>even N overwrites might be readable by a closed-mouthed government
>agency.)

Ah, but recall that N overwrites is only acceptable up to certain
specified classification levels. If it's "The Deep Dark Secret That
No One Should Ever Know About", the correct answer is to slag the
drive - physical destruction of the media, followed by melting the
residue. It's kind of hard to get anything off a ceramic platter
when the platter is now a new glass coffee mug, and the aluminum
platter is now a new can of Belch Beer. If that's what happened to
the media, think what remains of the magnetic patterns on the (also)
melted residue. Is that a one, or a zero transition here, and
where does that fit into which file?

> Short of a theoretical proof (which unlikely to have much to
>do with real-world technology), N can be argued but might never be
>enough for absolute security.

Bingo!

> I think this explains the lack of reasons for the guidelines
>currently available.

There are guidelines. What you have to determine is if any of them
apply to you or your situation.

Old guy

On Sat, 23 Feb 2008, in the Usenet newsgroup alt.computer.security, in article
<YBZvj.234$R_5.180@trnddc08>, David H. Lipman wrote:

>From: "Moe Trin" <ibuprofin@painkiller.example.tld>

>| and that's just Vancouver, BC. The yellow pages here in Phoenix list
>| nine companies who will do data destruction and claim to have various
>| certifications to do so. We use two of them.

>Any DoD Contractor can have the NSA CMC destroy the disks and receive a
>receipt indicating their destruction. :-)

I'm not exactly sure how our DOD stuff is handled, as it's not my
bailiwick. On the other hand, I'm guessing that about a quarter of the
drives here go out for a certified scrub because we're a R&D facility
and corporate is rather paranoid about some things. Heck, all of the
waste paper trash is shredded, even if it came from the chief cook's
office in the employee's cafeteria, just as all hard drives get a 3
pass (zeros, ones, "random data") wipe when they are taken out of
service. Something like 15 minutes per Gig - big deal, especially
when you have several "dedicated" boxes to do the job.

Old guy

ibuprofin@painkiller.example.tld (Moe Trin) wrote in
news:slrnfs1kia.1ss.ibuprofin@compton.phx.az.us:

....
> Ah, but recall that N overwrites is only acceptable up to certain
> specified classification levels. If it's "The Deep Dark Secret That
> No One Should Ever Know About", the correct answer is to slag the
> drive - physical destruction of the media, followed by melting the
> residue. It's kind of hard to get anything off a ceramic platter
> when the platter is now a new glass coffee mug, and the aluminum
> platter is now a new can of Belch Beer.


Roasting is messy, hard on the environment, and can be unsafe, although
getting the disks and heads hotter than the Curie/Neel temperature is
effective and reasonably doable by amateurs.

The preferred method for complete destruction is degaussing by a machine
designed for the purpose (preferably over 8000 Gauss - machines are
available as high as 13000 Gauss) followed by shredding. Such degaussers
work quickly through the drive casing, warp heads, etc, and remove all
magnetic info from the drive including servo tracks, etc. This alone
irretrievably blitzes the drive. Shredding puts the final nails in the
coffin.

Cost for degaussing and shredding (with custody and audit trail) is about
$10-15/drive in reasonable quantities - probably considerably more on a
onesy-twosy basis. You can usually even arrange to witness the
destruction (sometimes for a fee) although some shops will balk about
safety/liability issues. Best method is to try to piggyback on a company
that already has a data/drive destruction contract with one of these
shops (they're often associated with, or part of, a commercial secure
paper-shredding shop).

Regards,
..

bealoid <signup@bealoid.co.uk> writes:

>"Sebastian G." <seppi@seppig.de> wrote in
>news:62as0jF21pbucU1@mid.dfncis.de:

>[snip]

>> Either you have a really really long fire (hours till days) of
>> constant high heat, or you may simply resort to degaussing or acid.

>Obviously: Degaussing the platters, not the whole drive. Which I've seen
>people recommend as a way of disk erasing.

Degaussing would I think be a terrible technique. It wold leave data all
over the place. Fire will do it-- raise the temp about the neal point and
the domains all disappear.

ibuprofin@painkiller.example.tld (Moe Trin) writes:

>On Sat, 23 Feb 2008, in the Usenet newsgroup alt.computer.security, in article
><MNWvj.36872$FO1.1883@edtnps82>, Unruh wrote:

>>"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

>>>The DoD requirements are...
>>
>>>Write a bit pattern such as; 10101010
>>>Write its complement; 01010101
>>>Write another pattern such as; 11110000
>>>Perform that six times.
>>
>>>The disk will then be sanitized.

>>The dod is a bureacracy. Although the recmmendation probably made sense

>Obviously, you are not a DOD contractor. The wiping process is NOT a
>recommendation, it is an absolute REQUIREMENT. They tell you to do it,
>and you do - no quibbling, no bullshit.

It changes nothing in my comment. You have never seen bureacracies demand
totally senseless things?

>>once, once they had been promulgated they will never again change no
>>matter how the technology changes. To relax them puts someone's ass on
>>the line.

>Fine - YOU negotiate the contract to do otherwise. Otherwise, you are
>in violation of the contract, and bad things will happen.


And this contradicts anything I said?

>>What if he aralaxes them and suddenly some data leaks. Thus they are
>>frozen in time even if they make no sense whatsoever.

>Please stop imagining things. Read the requirements - they're public
>knowledge, and note FURTHER that these are not the most stringent of
>data destruction.

Imagining what? Imagining that bureacracies can demand things long after
they make any sense whatsoever? You are simply confirming what I said!

>>I would not take their recommendation as indicating anything whtsoever
>>about what the current best proctice is. While doing what they say may
>>not harm except that the wipe taks 2 days rather than 20min.

>So what? Their REQUIREMENT is a REQUIREMENT, not a recommendation, not
>a suggestion. You do it WITH WITNESSES or YOU suffer the consequences.
>Or, do you feel that contract law doesn't apply to you?

>>which means noone does it.

>BULL SHIT! Free clue:

> Web Results 1 - 10 of about 26,300 for computer+data destruction
> Vancouver+BC. (0.21 seconds)

>and that's just Vancouver, BC. The yellow pages here in Phoenix list
>nine companies who will do data destruction and claim to have various
>certifications to do so. We use two of them.

Are you argiung that this makes sense or that it exists? I never disputed
the latter, in fact I confirmed it. I did question whether it made and
sense. If you are disputing that it makes nosense, then arguments like
"everyone does it" are not terribly persuasive.


> Old guy

And you are not usually a blind defender of bureacracies.

Unruh wrote:

> bealoid <signup@bealoid.co.uk> writes:
>
>> "Sebastian G." <seppi@seppig.de> wrote in
>> news:62as0jF21pbucU1@mid.dfncis.de:
>
>> [snip]
>
>>> Either you have a really really long fire (hours till days) of
>>> constant high heat, or you may simply resort to degaussing or acid.
>
>> Obviously: Degaussing the platters, not the whole drive. Which I've seen
>> people recommend as a way of disk erasing.
>
> Degaussing would I think be a terrible technique. It wold leave data all
> over the place.


Maybe you should look up how degaussing works...

> Fire will do it-- raise the temp about the neal point and
> the domains all disappear.


Fire is terrible because you have to ensure that all domains get to this
temperature without some other parts, being burnt, working as a thermic
isolator.

Moe Trin wrote:
> On Sat, 23 Feb 2008, in the Usenet newsgroup alt.computer.security, in article
> <YBZvj.234$R_5.180@trnddc08>, David H. Lipman wrote:
>
>> From: "Moe Trin" <ibuprofin@painkiller.example.tld>
>
>> | and that's just Vancouver, BC. The yellow pages here in Phoenix list
>> | nine companies who will do data destruction and claim to have various
>> | certifications to do so. We use two of them.
>
>> Any DoD Contractor can have the NSA CMC destroy the disks and receive a
>> receipt indicating their destruction. :-)
>
> I'm not exactly sure how our DOD stuff is handled, as it's not my
> bailiwick. On the other hand, I'm guessing that about a quarter of the
> drives here go out for a certified scrub because we're a R&D facility
> and corporate is rather paranoid about some things. Heck, all of the
> waste paper trash is shredded, even if it came from the chief cook's
> office in the employee's cafeteria, just as all hard drives get a 3
> pass (zeros, ones, "random data") wipe when they are taken out of
> service. Something like 15 minutes per Gig - big deal, especially
> when you have several "dedicated" boxes to do the job.
>
> Old guy


DOD has a hard drive SHREDDER!

For you and I (assuming You're not a spy) a single overwite is
quite enough - to get stuff off it requires extreme measures.

On Tue, 26 Feb 2008, in the Usenet newsgroup alt.computer.security, in article
<JrKdndJ_eYM6A1nanZ2dnUVZ_oDinZ2d@comcast.com>, Rick Merrill wrote:

>Moe Trin wrote:

>> I'm not exactly sure how our DOD stuff is handled, as it's not my
>> bailiwick. On the other hand, I'm guessing that about a quarter of the
>> drives here go out for a certified scrub because we're a R&D facility
>> and corporate is rather paranoid about some things. Heck, all of the
>> waste paper trash is shredded, even if it came from the chief cook's
>> office in the employee's cafeteria, just as all hard drives get a 3
>> pass (zeros, ones, "random data") wipe when they are taken out of
>> service. Something like 15 minutes per Gig - big deal, especially
>> when you have several "dedicated" boxes to do the job.

>DOD has a hard drive SHREDDER!

Wonder what classification level it's allowed to. Like I say, I'm not
on the DOD side of the house.

>For you and I (assuming You're not a spy) a single overwite is
>quite enough - to get stuff off it requires extreme measures.

That assumes that the critical piece of data wasn't written to a track
that later developed a "fault" and the drive automagically swapped out
the track for one of the spares. (When the drive swaps out a bad track,
the data is copied to a spare track, the old track is marked unusable,
but that track is not erased - the data is still there though it might
be harder to read than normal.) Functionally, you're probably correct,
and in most cases no one is going to spend the heroic amounts of time
and money to recover the wiped stuff (ignore the obvious lies on TV
shows like "CSI-$CITY"). At work, the rules say a certified scrub for
certain drives, and a simple triple wipe for all others. They have
their reasons, and they are the ones paying for the time/energy to do
the wipe, so why should I do something else?

Old guy

Rick Merrill <rick0.merrill@NOSPAM.gmail.com> wrote in
news:JrKdndJ_eYM6A1nanZ2dnUVZ_oDinZ2d@comcast.com:

[snip]

> For you and I (assuming You're not a spy) a single overwite is
> quite enough - to get stuff off it requires extreme measures.

Here's the thing: What attacks exist to recover data over-written just once
with a bunch of 0 bits?

No company (AFAIK) will recover data overwritten like that.

So now the attack model has to assume exotic alien tech. In which case
there's no way of knowing if eight or a gajillion overwrites of random bits
is enough.

It'd be really cool to see results for an attack that recovers overwritten
data. And what kind of data would be the most important.

bealoid wrote:

> Rick Merrill <rick0.merrill@NOSPAM.gmail.com> wrote in
> news:JrKdndJ_eYM6A1nanZ2dnUVZ_oDinZ2d@comcast.com:
>
> [snip]
>
>> For you and I (assuming You're not a spy) a single overwite is
>> quite enough - to get stuff off it requires extreme measures.
>
> Here's the thing: What attacks exist to recover data over-written just once
> with a bunch of 0 bits?


A very simple one:

1. read the data as a analogue signal
2. interpret the signal as digital signal
3. calculate the ideal analogue signal that represents these digital data
4. calculate the difference between the two, the result is the overlap of
the previous signal(s) and noise
(5. repeat)

> No company (AFAIK) will recover data overwritten like that.


AFAIK many companies actually offer this procedure if more trivial measures
fail, but for a horrible price.

> So now the attack model has to assume exotic alien tech.


The above is not alien. However, the success rate with modern hard drives
should be in the dimension of 1%, that is they'll recover each bit correctly
with a chance of 51%, 1% different from pure guessing (which is still
statistically significant).

"Sebastian G." <seppi@seppig.de> writes:

>bealoid wrote:

>> Rick Merrill <rick0.merrill@NOSPAM.gmail.com> wrote in
>> news:JrKdndJ_eYM6A1nanZ2dnUVZ_oDinZ2d@comcast.com:
>>
>> [snip]
>>
>>> For you and I (assuming You're not a spy) a single overwite is
>>> quite enough - to get stuff off it requires extreme measures.
>>
>> Here's the thing: What attacks exist to recover data over-written just once
>> with a bunch of 0 bits?


>A very simple one:

>1. read the data as a analogue signal

How?
>2. interpret the signal as digital signal
>3. calculate the ideal analogue signal that represents these digital data
>4. calculate the difference between the two, the result is the overlap of
>the previous signal(s) and noise
Yes, noise dominates.
>(5. repeat)

What good does that do. The noise is there on the platter And because of
the very complex data encoding that "signal " has only an indirect
relation to the actual data.

>> No company (AFAIK) will recover data overwritten like that.


>AFAIK many companies actually offer this procedure if more trivial measures
>fail, but for a horrible price.

Perhaps you could tell us some, and tell us how you know they offer this
service.


>> So now the attack model has to assume exotic alien tech.


>The above is not alien. However, the success rate with modern hard drives
>should be in the dimension of 1%, that is they'll recover each bit correctly
>with a chance of 51%, 1% different from pure guessing (which is still
>statistically significant).

Unruh wrote:


>> 1. read the data as a analogue signal
>
> How?


Move the platers into a special reader which gives you the signal directly,
or use a laser.

>> 2. interpret the signal as digital signal
>> 3. calculate the ideal analogue signal that represents these digital data
>> 4. calculate the difference between the two, the result is the overlap of
>> the previous signal(s) and noise
> Yes, noise dominates.
>> (5. repeat)
>
> What good does that do. The noise is there on the platter And because of
> the very complex data encoding that "signal " has only an indirect
> relation to the actual data.


You can apply the exact decoding and error correction to extract both the
most likely data and their confidence. Which, even in presence of strong
noise, works very well with Turbo-like Codes.

But the Turbo-Like Codes made it possible to get within 10% of the Shannon
limit while still remaining a very low bit error rate, that's why today
there's not much redundancy left to exploit.

>> AFAIK many companies actually offer this procedure if more trivial measures
>> fail, but for a horrible price.
>
> Perhaps you could tell us some, and tell us how you know they offer this
> service.


As I already said: If you ever had something that couldn't be recovered,
they offer you such drastic measures for about 10 to 100 times the price.
Almost any customer can tel you this, and even PC World and Heise have
already experienced this (because they sent in a hard drive overwritten with
zeros; sadly they refused to try the better recovery mechanisms).

This is nothing special though, even Peter Gutmann mentions much more potent
ways like magnetic force scanning tunneling microscopy.

"Sebastian G." <seppi@seppig.de> wrote in
news:62q4cpF2486s5U1@mid.dfncis.de:

[snip]

> This is nothing special though, even Peter Gutmann mentions much more
> potent ways like magnetic force scanning tunneling microscopy.

and even gutmann says that no longer works and that 3 random overwrites is
about as good as you can do.

bealoid wrote:

> "Sebastian G." <seppi@seppig.de> wrote in
> news:62q4cpF2486s5U1@mid.dfncis.de:
>
> [snip]
>
>> This is nothing special though, even Peter Gutmann mentions much more
>> potent ways like magnetic force scanning tunneling microscopy.
>
> and even gutmann says that no longer works and that 3 random overwrites is
> about as good as you can do.


And even I wrote that one overwrite is enough, but this doesn't change the
result that such techniques allow to retrieve information statistically
significantly better than random guessing. If the high level data are
encoded with redundancy as well, this might be a problem.