Hmm...

Hi.

I saw this:

http://groups.google.com/group/comp.os.linux.hardware/msg/dc 0d19d1d233f2b7

Could there be any way to induce this on demand as part of a hard drive
self destruct sequence?

Re: Hmm...

On 25 Sep 2006, in the Usenet newsgroup comp.security.misc, in article
<1159174026.545376.146880@i42g2000cwa.googlegroups.com>, mike4ty4@yahoo.com
wrote:

>I saw this:
>
>http://groups.google.com/group/comp.os.linux.hardware/msg/d c0d19d1d233f2b7
>
>Could there be any way to induce this on demand as part of a hard drive
>self destruct sequence?

What part of the article are you referring to? A head crash on a "modern"
drive is pretty rare. If you're referring to

We once had a head crash on a bunch of systems where a head touched a
platter, crashing that track. The dust it threw up caused all the rest of
the heads on that drive (ten two-sided disks) to crash: 20 dead heads.

and

Unfortunately, the problem escalated since it was a weekend and no one was
on duty. The dust ultimately got out of those disk drives and crashed the
three disk drives on each of the other systems in that room. I think we
lost about 24 hard drives before anyone got in there on a Monday morning.

you should be aware that Jean-David is a dinosaur, and the clue might be

These days we would just replace the hard drives, but in those days a
hard drive cost between $10,000 and $40,000 (depends on just when).

That was more than a few weeks ago, and the disk technology has changed
just a bit - those were _probably_ RM03s, with a capacity of 67 Megabytes
and the platters were 14 inch diameter. The media was what amounted to be
iron oxide _glued_ to an aluminum disk, verses todays plated or sputtered
film a few millionths of an inch thick. Shock, and dust (even something
as fine as cigarette smoke) was all it took back then.

Old guy

Re: Hmm...

Moe Trin wrote:
> On 25 Sep 2006, in the Usenet newsgroup comp.security.misc, in article
> <1159174026.545376.146880@i42g2000cwa.googlegroups.com>, mike4ty4@yahoo.com
> wrote:
>
> >I saw this:
> >
> >http://groups.google.com/group/comp.os.linux.hardware/msg/d c0d19d1d233f2b7
> >
> >Could there be any way to induce this on demand as part of a hard drive
> >self destruct sequence?
>
> What part of the article are you referring to? A head crash on a "modern"
> drive is pretty rare. If you're referring to
>
> We once had a head crash on a bunch of systems where a head touched a
> platter, crashing that track. The dust it threw up caused all the rest of
> the heads on that drive (ten two-sided disks) to crash: 20 dead heads.
>
> and
>
> Unfortunately, the problem escalated since it was a weekend and no one was
> on duty. The dust ultimately got out of those disk drives and crashed the
> three disk drives on each of the other systems in that room. I think we
> lost about 24 hard drives before anyone got in there on a Monday morning.
>
> you should be aware that Jean-David is a dinosaur, and the clue might be
>
> These days we would just replace the hard drives, but in those days a
> hard drive cost between $10,000 and $40,000 (depends on just when).
>
> That was more than a few weeks ago, and the disk technology has changed
> just a bit - those were _probably_ RM03s, with a capacity of 67 Megabytes
> and the platters were 14 inch diameter. The media was what amounted to be
> iron oxide _glued_ to an aluminum disk, verses todays plated or sputtered
> film a few millionths of an inch thick. Shock, and dust (even something
> as fine as cigarette smoke) was all it took back then.
>
> Old guy

But is it possible to INDUCE a crash somehow? Can a crash on a "modern"
drive do that type of damage? What I want is a mechanism inside a
computer
that will achieve the following once activated:

1. Destroy all the data on the system to "military-level", ie. not even
the
US Government could recover the data from the drives. This means
physical destruction of the magnetic media. A good head crash that
scrubs off all the magnetic material ought to do that. There's some
pictures here of someone that had something close to this happen:

http://www.astro.ufl.edu/~ken/crash/

Note how the platter was scrubbed all the way down to the glass
substrate. I want a way to get that to happen on demand, and
to get the WHOLE THING transparent (unlike the pics where some
stuff survived). And it has to be FAST (at most the lifespan of a
battery-backup power supply).

2. Disassemble the computer chassis, casing, etc. so the parts are
separated to some degree. This might involve cutting the wirepacks too.

Not only does this make the computer hard to use, it also makes it
easier to manage the waste because there's less manual labor involved
in dismantling the system. This describes what I'm thinking about, only
it would be part of the computer death process:

http://www.treehugger.com/files/2006/07/innovative_gadg.php

3. Safety. Thermite, etc. are not options as those would probably burn
down the building the thing is in. I want the computer destroyed but
with
little or no harm to the surroundings.

Anyway, that's what I want.

Re: Hmm...

In article <1159578047.495830.58060@m73g2000cwd.googlegroups.com>,
wrote:

>But is it possible to INDUCE a crash somehow? Can a crash on a "modern"
>drive do that type of damage? What I want is a mechanism inside a
>computer
>that will achieve the following once activated:

>1. Destroy all the data on the system to "military-level", ie. not even
>the
>US Government could recover the data from the drives. This means
>physical destruction of the magnetic media. A good head crash that
>scrubs off all the magnetic material ought to do that.

No, typical modern drives are rated to about 100 g, and their
control logic has been moved onto the drive where you can't get to it
to force it to misbehave.

At the very least, you'd need custom control logic -- and I doubt
highly that you'd be able to arrange the head crash to get -all- of
the media in that case.

High security installations apparently use expensive high-security
drives, and don't mind using solid state instead of magnetic media,
and don't mind using an EMP pulse to erase data. Watch out with
solid state, though, as typical DRAM does -not- lose all of its
information immediately; a paper was published a couple of years ago
showing that you could recover a fair bit of information if you could
get power back to the chips within a short time (on the order of 5 minutes.)


>3. Safety. Thermite, etc. are not options as those would probably burn
>down the building the thing is in. I want the computer destroyed but
>with little or no harm to the surroundings.

Then you don't want your security enough. If the information is not
valuable enough to be worth risking a few lives, then it isn't valuable
enough to worry about making it impossible for the US government
to recover -any- of it.


If you are storing officially classified information that was legally
obtained, then the information-holding authorization was
conditional upon following official storage and disposal practices.
If you don't know what those disposal practices are then ask up
the chain. I won't tell you what they are: "Those who tell, don't know.
And those who know, can't tell."

If you are holding classified information for the US government,
then you don't worry about destroying it to the point that the
US government cannot recover it: you worry about destroying it to
the point that -other- governments or organizations can't recover it.
And you'd follow official procedures, however long they took; and
if you were in a covert intelligence situation then you'd have
access to experts on protecting the data.

If you are holding classified information for a country that
cannot permit the US government to see any of it, then follow the
procedures and technologies approved by that country.

If the data is -not- officially classified, but it is still vitally
important that the US government not be able to recover any of it...
the only kind of highly sensitive information I can think of that is
not a product of illegalities is certain human rights related information
(historically, the US has sometimes backed repressive regimes). If
you are operating in the shadow area where what you are doing is
legal but sensitive enough that some part of the US government
might realistically Be Out To Get You, then you probably need to worry
about a lot more than hard drives -- why bother to seize a computer
when putting a bug on it (or on you) might be nearly as useful?

Re: Hmm...

On 29 Sep 2006, in the Usenet newsgroup comp.security.misc, in article
<1159578047.495830.58060@m73g2000cwd.googlegroups.com>, mike4ty4@yahoo.com
wrote:

>But is it possible to INDUCE a crash somehow? Can a crash on a "modern"
>drive do that type of damage?

I don't see how, and unless you _really_ jump through some hoops, you have
the problem about seeing that the magnetic "dust" is small enough to not
be readable (see http://cmrr.ucsd.edu/hughes/CmrrSecureEraseProtocols.pdf
where in 2004 a fragment as small as 1/125 inch [0.2 mm] long was readable)
as one end of the problem, and ensuring that the drive doesn't accidentally
go p000f when you least expect it.

>What I want is a mechanism inside a computer that will achieve the
>following once activated:
>
>1. Destroy all the data on the system to "military-level", ie. not even
>the US Government could recover the data from the drives. This means
>physical destruction of the magnetic media.

Hit google, and look for "NISPOM" which is "National Industrial Security
Program Operating Manual" or DoD 5220.22-M, and re-read the definition of
"physical destruction of the magnetic media".

>A good head crash that scrubs off all the magnetic material ought to do
>that.

Unlikely in a modern well-designed drive - because you can't take the chance
that the crash won't completely trash the surfaces AND the residue not be
readable as above.

>There's some pictures here of someone that had something close to this
happen:
>
>http://www.astro.ufl.edu/~ken/crash/

Yeah, but that's an IBM Deathstar - and that is a severe design error, not
an intentional feature. That's why IBM isn't in the hard disk market any more.

>Note how the platter was scrubbed all the way down to the glass
>substrate.

I don't have the specs on the Deathstar, but a "thin film" plated media
thickness is measured in micro-inches (1 u" = 25.4 nanometers), and MAY
have a 1 microinch hard carbon coating as a protective layer/lubricant
on top of that. But at most, you are talking no more than 10 microinch
or a quarter of a micrometer. Not much to "scrub" off.

>I want a way to get that to happen on demand, and to get the WHOLE THING
>transparent (unlike the pics where some stuff survived). And it has to
>be FAST (at most the lifespan of a battery-backup power supply).

You're asking in the wrong place. We're computer types, not mechanical
engineers, and I'm not even sure they'd be the right group. You don't want
to be on Usenet - you want to be talking to the people at a major
university research lab.

But you've also highlighted a problem - "happen on demand". You want the
mechanism to trigger and do the job reliably (never mind that "reliably"
is a quantity we haven't defined), but at the same token, you DON'T want
this happening accidentally.

>2. Disassemble the computer chassis, casing, etc. so the parts are
>separated to some degree. This might involve cutting the wirepacks too.

That's not a security issue.

>3. Safety. Thermite, etc. are not options as those would probably burn
>down the building the thing is in. I want the computer destroyed but
>with little or no harm to the surroundings.

That also goes for explosives, another solution that has been effectively
used in the past.

>Anyway, that's what I want.

Why? Are you trying to develop something to sell to the government as a
sure-fire method of destroying classified material? Because you are not
meeting the requirements of NISPROM (above) you're going to have to talk
to them to see what is acceptable. If you are trying to develop something
for the commercial market (that is NOT doing government classified work),
then you need only "wipe the disk". There are plenty of applications
that will do that, but they take time - lots of it. One possible way
around that would be to modify the control circuitry on the hard drive
such that it writes an alternating 1/0 pattern (not data, but at the media
level) directly to the head which is then stepped all the way across the
platter. This can be done to all writable surfaces AT ONCE. Assuming
that a track-to-track movement of the head tapes three revolutions of the
media (conservative), 5000 tracks per radial inch, and a 2 inch radius
(impossible on a 3.5 inch drive, but it's only numbers), it would take
30,000 revolutions of the media to wipe once. How fast is your drive? I
use slow (5400 rpm) drives - under six seconds for a single pass. Repeat
that ten times - in less than a minute, there is nothing usable on the
drive. Technically, that doesn't meet NISPROM for (US) Secret and below,
because that document required 3 passes of all ones, all zeros, and then
random data (but this is at the hard drive data bus level, not the RLL
encoded data on the media), but I think you could convince people that it's
reasonable. This also gets around the "swapped out sectors" problem of
modern hard drives. This involves altering the control board on the
individual drive, and I'm not sure there is a market large enough to
amortize the redesign costs - though anyone building hard drives could
do so if desired. The problem remains those "false alarms" - you don't
want the drive wiping accidentally. On the other hand, if the drive is in
an accident such that the computer gets smashed up, you might have a problem
ensuring that the drive can still erase itself. That ought to make the
people over on the Risks Digest of the ACM (news://comp.risks/) happy.

Old guy

Re: Hmm...

On Sat, 30 Sep 2006, in the Usenet newsgroup comp.security.misc, in article
<1IrTg.69204$5R2.2577@pd7urf3no>, Walter Roberson wrote:

>If you are storing officially classified information that was legally
>obtained, then the information-holding authorization was
>conditional upon following official storage and disposal practices.

Absolutely.

>If you don't know what those disposal practices are then ask up
>the chain. I won't tell you what they are: "Those who tell, don't know.
>And those who know, can't tell."

That might be the case in Canada, but it sure as hell is NOT the case here.
NISPROM spells it out fairly clearly, and even though it's an old document,
it is available as close as the nearest Internet search engine..

>If you are holding classified information for the US government,
>then you don't worry about destroying it to the point that the
>US government cannot recover it: you worry about destroying it to
>the point that -other- governments or organizations can't recover it.
>And you'd follow official procedures, however long they took;

and no matter how dangerous they might be/appear to be.

>If the data is -not- officially classified, but it is still vitally
>important that the US government not be able to recover any of it...
>the only kind of highly sensitive information I can think of that is
>not a product of illegalities is certain human rights related information
>(historically, the US has sometimes backed repressive regimes).

I suspect the O/P is using unspecified parts of the US government as a
measure of how much the opponent may be able to go to recover the data.

>If you are operating in the shadow area where what you are doing is
>legal but sensitive enough that some part of the US government
>might realistically Be Out To Get You, then you probably need to worry
>about a lot more than hard drives -- why bother to seize a computer
>when putting a bug on it (or on you) might be nearly as useful?

And then, the data may merely be evidence of common criminal activities
and the O/P doesn't want to spend some time in the slammer - no matter
what the country.

Old guy

Re: Hmm...

Walter Roberson wrote:
> In article <1159578047.495830.58060@m73g2000cwd.googlegroups.com>,
> wrote:
>
> >But is it possible to INDUCE a crash somehow? Can a crash on a "modern"
> >drive do that type of damage? What I want is a mechanism inside a
> >computer
> >that will achieve the following once activated:
>
> >1. Destroy all the data on the system to "military-level", ie. not even
> >the
> >US Government could recover the data from the drives. This means
> >physical destruction of the magnetic media. A good head crash that
> >scrubs off all the magnetic material ought to do that.
>
> No, typical modern drives are rated to about 100 g, and their
> control logic has been moved onto the drive where you can't get to it
> to force it to misbehave.
>
> At the very least, you'd need custom control logic -- and I doubt
> highly that you'd be able to arrange the head crash to get -all- of
> the media in that case.
>
> High security installations apparently use expensive high-security
> drives, and don't mind using solid state instead of magnetic media,
> and don't mind using an EMP pulse to erase data. Watch out with
> solid state, though, as typical DRAM does -not- lose all of its
> information immediately; a paper was published a couple of years ago
> showing that you could recover a fair bit of information if you could
> get power back to the chips within a short time (on the order of 5 minutes.)
>
>
> >3. Safety. Thermite, etc. are not options as those would probably burn
> >down the building the thing is in. I want the computer destroyed but
> >with little or no harm to the surroundings.
>
> Then you don't want your security enough. If the information is not
> valuable enough to be worth risking a few lives, then it isn't valuable
> enough to worry about making it impossible for the US government
> to recover -any- of it.
>
>
> If you are storing officially classified information that was legally
> obtained, then the information-holding authorization was
> conditional upon following official storage and disposal practices.
> If you don't know what those disposal practices are then ask up
> the chain. I won't tell you what they are: "Those who tell, don't know.
> And those who know, can't tell."
>
> If you are holding classified information for the US government,
> then you don't worry about destroying it to the point that the
> US government cannot recover it: you worry about destroying it to
> the point that -other- governments or organizations can't recover it.
> And you'd follow official procedures, however long they took; and
> if you were in a covert intelligence situation then you'd have
> access to experts on protecting the data.
>
> If you are holding classified information for a country that
> cannot permit the US government to see any of it, then follow the
> procedures and technologies approved by that country.
>
> If the data is -not- officially classified, but it is still vitally
> important that the US government not be able to recover any of it...
> the only kind of highly sensitive information I can think of that is
> not a product of illegalities is certain human rights related information
> (historically, the US has sometimes backed repressive regimes). If
> you are operating in the shadow area where what you are doing is
> legal but sensitive enough that some part of the US government
> might realistically Be Out To Get You, then you probably need to worry
> about a lot more than hard drives -- why bother to seize a computer
> when putting a bug on it (or on you) might be nearly as useful?

Question on this topic. I read a newspaper article where a major (big
ten) university's "property disposition department", who was
responsible for destroying hard drive data (whethern administration,
faculty, or student data) - had "destroyed all data on hard drives
according to policy" - but was unsuccessful. They essentially ran
software to delete the data, and then on audit, they found that they
recovers student papers, administrative financial information,
including student/staff SSN information.

So, if the following was performed, what would the likelihood of data
destruction be?:
1. Perform a "normal" deletion through the OS.
2. Run software on the drive for the DOD three step process.
3. Use a disk editor to "zero" all bytes.
4. Install a lower grade (not one installed on before) to partition
and format.
5. Use yet another OS to do a format/verify.
6. Encrypt or scramble data to the drive in an alternate language
(piss-poor source code as a language or mixed incoherent source code
allowed here as a substitute on this step), filling all bits on the
drive.
6a. Write incoherent random documents and staff flyers to the drive
(may load from a usb device if necessary)
7. Run a handheld magnetic device over the drive.
8. Dismantle the drive, including all platters if possible.
9. If not, "freeze" the platter(s). Throw or catapult it to a
sidewalk or wall with a minimum 150'.
10. Collect as many pieces as possible and toss into a loose bag and
then toss into a alligator filled swamp.
11. Go out and enjoy an adult beverage.

Would this do the trick?

Re: Hmm...

"James" writes:


>Walter Roberson wrote:
>> In article <1159578047.495830.58060@m73g2000cwd.googlegroups.com>,
>> wrote:
>>
>> >But is it possible to INDUCE a crash somehow? Can a crash on a "modern"

No.

>> >drive do that type of damage? What I want is a mechanism inside a
>> >computer
>> >that will achieve the following once activated:

A bomb.

>>
>> >1. Destroy all the data on the system to "military-level", ie. not even
>> >the
>> >US Government could recover the data from the drives. This means
>> >physical destruction of the magnetic media. A good head crash that
>> >scrubs off all the magnetic material ought to do that.

No it does not mean physical destruction, but if you want physical
destruction then destroy it. Or did you want some button you could push
when the police storm in the door to destroy the drive?

>>
>> No, typical modern drives are rated to about 100 g, and their
>> control logic has been moved onto the drive where you can't get to it
>> to force it to misbehave.
>>
>> At the very least, you'd need custom control logic -- and I doubt
>> highly that you'd be able to arrange the head crash to get -all- of
>> the media in that case.
>>
>> High security installations apparently use expensive high-security
>> drives, and don't mind using solid state instead of magnetic media,
>> and don't mind using an EMP pulse to erase data. Watch out with
>> solid state, though, as typical DRAM does -not- lose all of its
>> information immediately; a paper was published a couple of years ago
>> showing that you could recover a fair bit of information if you could
>> get power back to the chips within a short time (on the order of 5 minutes.)
>>
>>
>> >3. Safety. Thermite, etc. are not options as those would probably burn
>> >down the building the thing is in. I want the computer destroyed but
>> >with little or no harm to the surroundings.
>>
>> Then you don't want your security enough. If the information is not
>> valuable enough to be worth risking a few lives, then it isn't valuable
>> enough to worry about making it impossible for the US government
>> to recover -any- of it.
>>
>>
>> If you are storing officially classified information that was legally
>> obtained, then the information-holding authorization was
>> conditional upon following official storage and disposal practices.
>> If you don't know what those disposal practices are then ask up
>> the chain. I won't tell you what they are: "Those who tell, don't know.
>> And those who know, can't tell."
>>
>> If you are holding classified information for the US government,
>> then you don't worry about destroying it to the point that the
>> US government cannot recover it: you worry about destroying it to
>> the point that -other- governments or organizations can't recover it.
>> And you'd follow official procedures, however long they took; and
>> if you were in a covert intelligence situation then you'd have
>> access to experts on protecting the data.
>>
>> If you are holding classified information for a country that
>> cannot permit the US government to see any of it, then follow the
>> procedures and technologies approved by that country.
>>
>> If the data is -not- officially classified, but it is still vitally
>> important that the US government not be able to recover any of it...
>> the only kind of highly sensitive information I can think of that is
>> not a product of illegalities is certain human rights related information
>> (historically, the US has sometimes backed repressive regimes). If
>> you are operating in the shadow area where what you are doing is
>> legal but sensitive enough that some part of the US government
>> might realistically Be Out To Get You, then you probably need to worry
>> about a lot more than hard drives -- why bother to seize a computer
>> when putting a bug on it (or on you) might be nearly as useful?

>Question on this topic. I read a newspaper article where a major (big
>ten) university's "property disposition department", who was
>responsible for destroying hard drive data (whethern administration,
>faculty, or student data) - had "destroyed all data on hard drives
>according to policy" - but was unsuccessful. They essentially ran
>software to delete the data, and then on audit, they found that they
>recovers student papers, administrative financial information,
>including student/staff SSN information.

Sounds like incompetence to me.



>So, if the following was performed, what would the likelihood of data
>destruction be?:
>1. Perform a "normal" deletion through the OS.

Trivial to recover.

>2. Run software on the drive for the DOD three step process.

What the the dod 3 step process?

>3. Use a disk editor to "zero" all bytes.

Disk editory? I think I would rather write over them with "random" bytes.
Probably unrecoverable with modern drives, but maybe not.


>4. Install a lower grade (not one installed on before) to partition
>and format.

??? No idea waht "install a lower grade" means.

>5. Use yet another OS to do a format/verify.

Trivial to overcome
>6. Encrypt or scramble data to the drive in an alternate language
>(piss-poor source code as a language or mixed incoherent source code
>allowed here as a substitute on this step), filling all bits on the
>drive.

This is just overwriting with random data.

>6a. Write incoherent random documents and staff flyers to the drive
>(may load from a usb device if necessary)

staff flyers? Just write random stuff to the whole drive.

dd if=/dev/urandom of=/dev/hdd bs=1M



>7. Run a handheld magnetic device over the drive.

Trivail to recover.

>8. Dismantle the drive, including all platters if possible.

Trivial to recover.

>9. If not, "freeze" the platter(s). Throw or catapult it to a
>sidewalk or wall with a minimum 150'.

Trivial to recover.

>10. Collect as many pieces as possible and toss into a loose bag and
>then toss into a alligator filled swamp.

Trivial to recover.

>11. Go out and enjoy an adult beverage.

Even more trivial to recover.



>Would this do the trick?
oNo.

Over write with random data, then open the drive and put it into a furnace
and heat the platers red hot.

Re: Hmm...

On 8 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
<1160351511.905597.100370@e3g2000cwe.googlegroups.com>, James wrote:

>Question on this topic. I read a newspaper article where a major (big
>ten) university's "property disposition department", who was
>responsible for destroying hard drive data (whethern administration,
>faculty, or student data) - had "destroyed all data on hard drives
>according to policy" - but was unsuccessful. They essentially ran
>software to delete the data, and then on audit, they found that they
>recovers student papers, administrative financial information,
>including student/staff SSN information.

Have a cite? The university's "property disposition department" is
totally incompetent. Depending on the jurisdiction, this could be a
criminally prosecution situation (not here unfortunately - gross
stupidity hasn't been made into a Class 1 felony yet, possibly because
there isn't enough jail space).

>So, if the following was performed, what would the likelihood of data
>destruction be?:

This is an "angels dancing on the head of a pin" type question, but
what-the heck. You have to answer just two questions first:

A) Who is your opponent? Mommy? Mommy who happens to work at a secret
three-letter-agency crime lab? That (or some similar) agency acting in
an official capacity? This implies the skill and effort that will be
brought to bear against the problem.

B) What is on the disk, and what will be the consequences if someone
decides to try to recover the data. What is that "cost" compared to the
efforts/costs needed to make recovery impossible.

>1. Perform a "normal" deletion through the OS.

Useless. At most, this "deletes" the directory entry. More than twenty
years ago, Peter Norton made a fortune selling an "undelete" program
for MS-DOS. The concept is unchanged. Two months ago, you were taking
about using Linux. See if you have a copy of the Ext2fs-Undeletion (there
was also a "Ext2fs-Undeletion-Dir-Struct" - since withdrawn) mini-howtos.

>2. Run software on the drive for the DOD three step process.

By this, I presume you mean NISPROM - the US DoD-5220M document. This
will take care of a common snooper as it is the technique used for up-to
US Secret. It is not fool-proof. See the rather outdated Gutmann paper
(http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html) , and think
about "hot-swap" _sectors_ (where the drive silently swaps out "defective"
sectors with spares - the data on those "defective" sectors IS STILL THERE
and readable with extra effort). Then read the more recent Hughes paper
(http://cmrr.ucsd.edu/hughes/CmrrSecureEraseProtocols.pdf) for what was
possible in 2004.

>3. Use a disk editor to "zero" all bytes.

More or less, this is the first step in the DoD 5220M requirements.

>4. Install a lower grade (not one installed on before) to partition
>and format.

What is this supposed to mean?

>5. Use yet another OS to do a format/verify.

At best, this is doing nothing additional to what's been done with the
DoD procedure. More likely, it's doing nothing useful.

>6. Encrypt or scramble data to the drive in an alternate language
>(piss-poor source code as a language or mixed incoherent source code
>allowed here as a substitute on this step), filling all bits on the
>drive.
>6a. Write incoherent random documents and staff flyers to the drive
>(may load from a usb device if necessary)

Step three of the DoD procedure.

>7. Run a handheld magnetic device over the drive.

Totally useless. A "high density" floppy (5 1/4 inch - 1.2 Meg) from 1984
had a coercivity of 600 Oersteds (the 3 1/2 inch 1.44 was higher at 720,
and the 3 1/2 inch 2.88 Meg drive higher still at 750 Oersteds), and the
average hand magnet didn't do a whole lot to them. The latest hard drives
are more than an order of magnitude magnetically "stiffer" than those high
density floppies. Are you old enough to remember reel-to-reel tapes?
The bulk tape eraser (a two pound/one kilo electro-magnet using about two
amperes) would do in a floppy, but not a hard disk - even if in contact
with the media.

>8. Dismantle the drive, including all platters if possible.
>9. If not, "freeze" the platter(s). Throw or catapult it to a
>sidewalk or wall with a minimum 150'.

Last sentence not clear.

>10. Collect as many pieces as possible and toss into a loose bag and
>then toss into a alligator filled swamp.

Two bad ideas. Better to scatter the pieces to the four winds. Alligator
filled swap might slow things down (regulatory approval, tree-huggers,
and so on), but won't do anything long term if the disks are important
enough.

>11. Go out and enjoy an adult beverage.

It's a bit early in the day for that.

>Would this do the trick?

Nope. Read the two cited papers above and the NISPROM requirements.
If you want to permanently destroy the information, the only sure solution
is the destruction of the magnetic media. Take the platters out, and heat
them above the Curie point - then to be sure, chuck the platters on an
axle, spin them up, then use an ultra fine abrasive to grind the platters
to a powder. Don't forget to wear protective clothing while doing so.

Not willing to go that far? Take the platters out, and use an ultra-fine
(600 grit or finer) "sand-paper" to gently remove the thin film coating
from the platter. You want the resulting dust to be no larger than 2 to 5
thousandths of an inch an any dimension. Dispose of the dust by scattering
it from a height over a few thousand feet above the ground/sea.

Still to much effort? Use your Linux box to write to the entire disk using
the 'dd' command, first all zeros - then all ones, lather, rinse, repeat.
When you think it's done, repeat two more passes, then overwrite with
/dev/random (which will take a LONG time to do). Get the picture?

Old guy

Re: Hmm...

Moe Trin wrote:
> On 8 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
> <1160351511.905597.100370@e3g2000cwe.googlegroups.com>, James wrote:
>
> >Question on this topic. I read a newspaper article where a major (big
> >ten) university's "property disposition department", who was
> >responsible for destroying hard drive data (whethern administration,
> >faculty, or student data) - had "destroyed all data on hard drives
> >according to policy" - but was unsuccessful. They essentially ran
> >software to delete the data, and then on audit, they found that they
> >recovers student papers, administrative financial information,
> >including student/staff SSN information.
>
> Have a cite? The university's "property disposition department" is
> totally incompetent. Depending on the jurisdiction, this could be a
> criminally prosecution situation (not here unfortunately - gross
> stupidity hasn't been made into a Class 1 felony yet, possibly because
> there isn't enough jail space).

No cite, no. So, for argument sake, let's say this is the scenario.
Strictly hypothetical since I don't remember exactly what the paper was
or the published date, nor do I really care one way or the other since
I simply read the article and thought to myself "that must suck for
them".
>
> >So, if the following was performed, what would the likelihood of data
> >destruction be?:
>
> This is an "angels dancing on the head of a pin" type question, but
> what-the heck. You have to answer just two questions first:

ok.

>
> A) Who is your opponent? Mommy? Mommy who happens to work at a secret
> three-letter-agency crime lab? That (or some similar) agency acting in
> an official capacity? This implies the skill and effort that will be
> brought to bear against the problem.
>

Well, mommy doesn't exist anymore, so let us say for the scenario that
in this department, the (erased) hard drives are for sale to the
general public. It could also be anywhere. Joe Blow and Jane doe
average home users who sell used hard drives, or private companies.

> B) What is on the disk, and what will be the consequences if someone
> decides to try to recover the data. What is that "cost" compared to the
> efforts/costs needed to make recovery impossible.

Well, if the old drives contained student papers and personal
information, the administration data were database financial files
(i.e. payroll information, notices, etc), and the staff systems
information. That would be for a university to be a problem. For the
average user, let's say personal information, financial information,
and e-mails to a neighbor for the upcoming vacation house/pet sitter
(an iguana, lets say). Or for a private company, the problem data
could be old merger plans, payroll, source code, etc.
Whay any of these idiots would have that information available in
electronic traces and then offering them for public sale is beyond me,
but let's go with this.

>
> >1. Perform a "normal" deletion through the OS.
>
> Useless. At most, this "deletes" the directory entry. More than twenty
> years ago, Peter Norton made a fortune selling an "undelete" program
> for MS-DOS. The concept is unchanged. Two months ago, you were taking
> about using Linux. See if you have a copy of the Ext2fs-Undeletion (there
> was also a "Ext2fs-Undeletion-Dir-Struct" - since withdrawn) mini-howtos.
>

Exactly, but this is what the averae home user would probably do to
think everything is gone forever, completely unaware of disk
utilitiess, OS limitations, and forensic software.

> >2. Run software on the drive for the DOD three step process.
>
> By this, I presume you mean NISPROM - the US DoD-5220M document. This
> will take care of a common snooper as it is the technique used for up-to
> US Secret. It is not fool-proof. See the rather outdated Gutmann paper
> (http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html) , and think
> about "hot-swap" _sectors_ (where the drive silently swaps out "defective"
> sectors with spares - the data on those "defective" sectors IS STILL THERE
> and readable with extra effort). Then read the more recent Hughes paper
> (http://cmrr.ucsd.edu/hughes/CmrrSecureEraseProtocols.pdf) for what was
> possible in 2004.

Still looking at the docs.
But let's say this is the first step beyond the average home user.


>
> >3. Use a disk editor to "zero" all bytes.
>
> More or less, this is the first step in the DoD 5220M requirements.

It wouldnt have to be zero, it could be ff hex for the byte value on
each byte. Or it could be random. But for disk editors, it seems it
would be easier to go with one consistent value, or you could write a C
program to fill random values for each byte on disk.


>
> >4. Install a lower grade (not one installed on before) to partition
> >and format.
>
> What is this supposed to mean?

Sorry, this was meant to say "Install a lower grade OS .."
Let's say FAT16 PC-DOS.

>
> >5. Use yet another OS to do a format/verify.
>
> At best, this is doing nothing additional to what's been done with the
> DoD procedure. More likely, it's doing nothing useful.

Let's say a UNIX variant here, and partitioning as well. If we want be
particular, lets say BSD or Sun OS. Still not useful?

>
> >6. Encrypt or scramble data to the drive in an alternate language
> >(piss-poor source code as a language or mixed incoherent source code
> >allowed here as a substitute on this step), filling all bits on the
> >drive.
> >6a. Write incoherent random documents and staff flyers to the drive
> >(may load from a usb device if necessary)
>
> Step three of the DoD procedure.
>

Okay, I see that.

> >7. Run a handheld magnetic device over the drive.
>
> Totally useless. A "high density" floppy (5 1/4 inch - 1.2 Meg) from 1984
> had a coercivity of 600 Oersteds (the 3 1/2 inch 1.44 was higher at 720,
> and the 3 1/2 inch 2.88 Meg drive higher still at 750 Oersteds), and the
> average hand magnet didn't do a whole lot to them. The latest hard drives
> are more than an order of magnitude magnetically "stiffer" than those high
> density floppies. Are you old enough to remember reel-to-reel tapes?
> The bulk tape eraser (a two pound/one kilo electro-magnet using about two
> amperes) would do in a floppy, but not a hard disk - even if in contact
> with the media.

Okay.

>
> >8. Dismantle the drive, including all platters if possible.
> >9. If not, "freeze" the platter(s). Throw or catapult it to a
> >sidewalk or wall with a minimum 150'.

Frozen with something like say NO2, or some other chemical compound
that can freeze the metal completely.

>
> Last sentence not clear.
>
> >10. Collect as many pieces as possible and toss into a loose bag and
> >then toss into a alligator filled swamp.
>
> Two bad ideas. Better to scatter the pieces to the four winds. Alligator
> filled swap might slow things down (regulatory approval, tree-huggers,
> and so on), but won't do anything long term if the disks are important
> enough.
>
> >11. Go out and enjoy an adult beverage.
>
> It's a bit early in the day for that.
>
> >Would this do the trick?
>
> Nope. Read the two cited papers above and the NISPROM requirements.
> If you want to permanently destroy the information, the only sure solution
> is the destruction of the magnetic media. Take the platters out, and heat
> them above the Curie point - then to be sure, chuck the platters on an
> axle, spin them up, then use an ultra fine abrasive to grind the platters
> to a powder. Don't forget to wear protective clothing while doing so.
>
> Not willing to go that far? Take the platters out, and use an ultra-fine
> (600 grit or finer) "sand-paper" to gently remove the thin film coating
> from the platter. You want the resulting dust to be no larger than 2 to 5
> thousandths of an inch an any dimension. Dispose of the dust by scattering
> it from a height over a few thousand feet above the ground/sea.
>
> Still to much effort? Use your Linux box to write to the entire disk using
> the 'dd' command, first all zeros - then all ones, lather, rinse, repeat.
> When you think it's done, repeat two more passes, then overwrite with
> /dev/random (which will take a LONG time to do). Get the picture?
>
> Old guy

Heh. I see that being a better solution. Oh well, still sucks for the
old owners of those hard drives.

Thanks

Re: Hmm...

Moe Trin wrote:
> On 8 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
> <1160351511.905597.100370@e3g2000cwe.googlegroups.com>, James wrote:
>
> >Question on this topic. I read a newspaper article where a major (big
> >ten) university's "property disposition department", who was
> >responsible for destroying hard drive data (whethern administration,
> >faculty, or student data) - had "destroyed all data on hard drives
> >according to policy" - but was unsuccessful. They essentially ran
> >software to delete the data, and then on audit, they found that they
> >recovers student papers, administrative financial information,
> >including student/staff SSN information.
>
> Have a cite? The university's "property disposition department" is
> totally incompetent. Depending on the jurisdiction, this could be a
> criminally prosecution situation (not here unfortunately - gross
> stupidity hasn't been made into a Class 1 felony yet, possibly because
> there isn't enough jail space).
>
> >So, if the following was performed, what would the likelihood of data
> >destruction be?:
>
> This is an "angels dancing on the head of a pin" type question, but
> what-the heck. You have to answer just two questions first:
>
> A) Who is your opponent? Mommy? Mommy who happens to work at a secret
> three-letter-agency crime lab? That (or some similar) agency acting in
> an official capacity? This implies the skill and effort that will be
> brought to bear against the problem.
>
> B) What is on the disk, and what will be the consequences if someone
> decides to try to recover the data. What is that "cost" compared to the
> efforts/costs needed to make recovery impossible.
>
> >1. Perform a "normal" deletion through the OS.
>
> Useless. At most, this "deletes" the directory entry. More than twenty
> years ago, Peter Norton made a fortune selling an "undelete" program
> for MS-DOS. The concept is unchanged. Two months ago, you were taking
> about using Linux. See if you have a copy of the Ext2fs-Undeletion (there
> was also a "Ext2fs-Undeletion-Dir-Struct" - since withdrawn) mini-howtos.
>
> >2. Run software on the drive for the DOD three step process.
>
> By this, I presume you mean NISPROM - the US DoD-5220M document. This
> will take care of a common snooper as it is the technique used for up-to
> US Secret. It is not fool-proof. See the rather outdated Gutmann paper
> (http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html) , and think
> about "hot-swap" _sectors_ (where the drive silently swaps out "defective"
> sectors with spares - the data on those "defective" sectors IS STILL THERE
> and readable with extra effort). Then read the more recent Hughes paper
> (http://cmrr.ucsd.edu/hughes/CmrrSecureEraseProtocols.pdf) for what was
> possible in 2004.
>
> >3. Use a disk editor to "zero" all bytes.
>
> More or less, this is the first step in the DoD 5220M requirements.
>
> >4. Install a lower grade (not one installed on before) to partition
> >and format.
>
> What is this supposed to mean?
>
> >5. Use yet another OS to do a format/verify.
>
> At best, this is doing nothing additional to what's been done with the
> DoD procedure. More likely, it's doing nothing useful.
>
> >6. Encrypt or scramble data to the drive in an alternate language
> >(piss-poor source code as a language or mixed incoherent source code
> >allowed here as a substitute on this step), filling all bits on the
> >drive.
> >6a. Write incoherent random documents and staff flyers to the drive
> >(may load from a usb device if necessary)
>
> Step three of the DoD procedure.
>
> >7. Run a handheld magnetic device over the drive.
>
> Totally useless. A "high density" floppy (5 1/4 inch - 1.2 Meg) from 1984
> had a coercivity of 600 Oersteds (the 3 1/2 inch 1.44 was higher at 720,
> and the 3 1/2 inch 2.88 Meg drive higher still at 750 Oersteds), and the
> average hand magnet didn't do a whole lot to them. The latest hard drives
> are more than an order of magnitude magnetically "stiffer" than those high
> density floppies. Are you old enough to remember reel-to-reel tapes?
> The bulk tape eraser (a two pound/one kilo electro-magnet using about two
> amperes) would do in a floppy, but not a hard disk - even if in contact
> with the media.
>
> >8. Dismantle the drive, including all platters if possible.
> >9. If not, "freeze" the platter(s). Throw or catapult it to a
> >sidewalk or wall with a minimum 150'.
>
> Last sentence not clear.
>
> >10. Collect as many pieces as possible and toss into a loose bag and
> >then toss into a alligator filled swamp.
>
> Two bad ideas. Better to scatter the pieces to the four winds. Alligator
> filled swap might slow things down (regulatory approval, tree-huggers,
> and so on), but won't do anything long term if the disks are important
> enough.
>
> >11. Go out and enjoy an adult beverage.
>
> It's a bit early in the day for that.
>
> >Would this do the trick?
>
> Nope. Read the two cited papers above and the NISPROM requirements.
> If you want to permanently destroy the information, the only sure solution
> is the destruction of the magnetic media. Take the platters out, and heat
> them above the Curie point - then to be sure, chuck the platters on an
> axle, spin them up, then use an ultra fine abrasive to grind the platters
> to a powder. Don't forget to wear protective clothing while doing so.
>
> Not willing to go that far? Take the platters out, and use an ultra-fine
> (600 grit or finer) "sand-paper" to gently remove the thin film coating
> from the platter. You want the resulting dust to be no larger than 2 to 5
> thousandths of an inch an any dimension. Dispose of the dust by scattering
> it from a height over a few thousand feet above the ground/sea.
>
> Still to much effort? Use your Linux box to write to the entire disk using
> the 'dd' command, first all zeros - then all ones, lather, rinse, repeat.
> When you think it's done, repeat two more passes, then overwrite with
> /dev/random (which will take a LONG time to do). Get the picture?
>
> Old guy
So is it safer to say to never get rid of old hard drives no matter who
owns them or what is on them that is considered sensitive to them? An
how does this fit in with higher security systems like A or B class
systems (Orange book referenced these)?

Re: Hmm...

On 9 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
<1160440909.835954.293890@i3g2000cwc.googlegroups.com>, James wrote:
>
>Moe Trin wrote:

>> Have a cite? The university's "property disposition department" is
>> totally incompetent.

>No cite, no. So, for argument sake, let's say this is the scenario.

No problem - a quick scan of the Risks Digest (mirrored as the Usenet
newsgroup "comp.risks") shows a number of incidents.

>Strictly hypothetical since I don't remember exactly what the paper was
>or the published date, nor do I really care one way or the other since
>I simply read the article and thought to myself "that must suck for
>them".

They aren't the only ones - it happens all to frequently.

>Well, mommy doesn't exist anymore, so let us say for the scenario that
>in this department, the (erased) hard drives are for sale to the
>general public. It could also be anywhere. Joe Blow and Jane doe
>average home users who sell used hard drives, or private companies.

Twenty plus years ago when I bought my first IBM PC clone, the hard drive
was US$300 give or take. Ten years ago, the price was US$200, and the
drive was two orders of magnitude larger. Today, it's two more orders of
magnitude larger, and somewhere around US$100... new. If the drive
held confidential data, it's getting to the point where it's cheaper to
slag the old drive and put a new one in there. But it's all about risk
management.

>Well, if the old drives contained student papers and personal
>information, the administration data were database financial files
>(i.e. payroll information, notices, etc), and the staff systems
>information. That would be for a university to be a problem.

For universities, there should be written policy (in some places/situations
there may be legal requirements) about cleaning drives. It _isn't_ that
hard to do wipe the disk to that Joe Average isn't going to recover anything.
A google search will turn up dozens of DOS/windoze/Mac (pre-OSX) applications
to do this, and there are stand-alone tools such as Toms RootNboot (Linux)
floppy. The Linux command used is 'dd' copying from '/deb/zero' and '/dev/one'
(all zeros, and all ones respectively). Five or six passes of each, and
nobody's going to get the data outside of a three-letter agency (and they
will be having a hard time).

>For the average user, let's say personal information, financial information,
>and e-mails to a neighbor for the upcoming vacation house/pet sitter
>(an iguana, lets say).

The average user isn't going to be targeted by a sophisticated recovery
effort. Any of the commonly available tools will do the job. On the other
hand, if you are really Bill Gates, and that disk has account numbers and
passwords to financial stuff, you should (and can afford to) slag the
drive.

>Or for a private company, the problem data could be old merger plans,
>payroll, source code, etc.

Is money so tight that you are going to get something by selling the drive?
If so, the disk wiping is probably enough. Otherwise, slag the drive.

>Whay any of these idiots would have that information available in
>electronic traces and then offering them for public sale is beyond me,
>but let's go with this.

That's easy - no one puts pen to paper any more. EVERYTHING is done on the
computer - the memos, the spreadsheets, the databases, you name it. And a
lot of people still have their head up-and-locked. That 'comp.risks'
newsgroup I mentioned above:

Date: Tue, 26 Aug 2003 09:23:37 -0400
From: Mark Feit
Subject: BlackBerry reveals sensitive Morgan Stanley data

We've seen this before with hard disks. The article goes on to point out
that this has started to happen more frequently as people are synchronizing
their mobile devices with their desktops.
The eBay ad read "BlackBerry RIM sold AS IS!" So Eugene Sacks (not his
real name), a Seattle computer consultant who always wanted one of the
pager-size devices to check his e-mail, sent in a bid. For just $15.50, he
bought the wireless device with 4 MB of memory. The BlackBerry didn't
come with a cable, synching station, software or a manual. But it did come
with something even more valuable: a trove of corporate data.
http://www.wired.com/news/print/0,1294,60052,00.html

>>> 1. Perform a "normal" deletion through the OS.
>>
>> Useless. At most, this "deletes" the directory entry.

>Exactly, but this is what the averae home user would probably do to
>think everything is gone forever, completely unaware of disk
>utilitiess, OS limitations, and forensic software.

More the pity, because there are applications spammed all over the Internet
that claim to wipe the drive. The ones that are spammed are grossly overpriced
compared to the free stuff you can download, but you'd think people would
be slightly aware. There is also the news items such as your university
screwup - but people forget, or ignore.

[NISPROM]

>Still looking at the docs.
>But let's say this is the first step beyond the average home user.

Virtually all of the disk wiping applications claim to follow this standard.

>It wouldnt have to be zero, it could be ff hex for the byte value on
>each byte. Or it could be random. But for disk editors, it seems it
>would be easier to go with one consistent value, or you could write a C
>program to fill random values for each byte on disk.

dd if=/dev/zero of=/dev/hda bs=2048
dd if=/dev/one of=/dev/hda bs=2048
dd if=/dev/urandom of=/dev/hda bs=2048

Now, I don't recommend you trying that - because at the end of the third
command, that drive is full of noise bytes. But that's the three pass wipe
demanded by NISPROM.

>Sorry, this was meant to say "Install a lower grade OS .."
>Let's say FAT16 PC-DOS.

Somewhere in the house, there is a pair of 360K floppies with MS-DOS 3.3
on them. Problem: It has no concept of a (tiny) 2.6 Gig drive. But even
if it did, the "high level" format command to create that FAT16 filesystem
only creates the root directory and a pair of clean FAT tables. It does
nothing to the data on the drive. Wanna try a "low-level" format? Modern
disks can only be formatted with manufacturer specific software. The days
of "DEBUG G=C800:5" are _long_ past.

>Let's say a UNIX variant here, and partitioning as well. If we want be
>particular, lets say BSD or Sun OS. Still not useful?

Same problem. '/sbin/mkfs' creates the superblocks, and nothing else. Any
data is still accessible with direct disk reads - that 'dd' command above.

>Frozen with something like say NO2, or some other chemical compound
>that can freeze the metal completely.

The drive manufacturer would probably void any warranty, but the thermal
shock is not guaranteed to damage the platters. Liquid N2 is roughly
-200C and an aluminum based platter is going to shrink, but I'd think
it's more show than functional. A ceramic based platter is going to shrink
less, but again not enough to do harm to the data.

>Heh. I see that being a better solution. Oh well, still sucks for the
>old owners of those hard drives.

Absolutely. For what it's worth, the systems retired by my company all
go through the NISPROM wipe unless they were legally required to be slagged
(we do have some government work). Dead drives get opened and sanded,
which is why I know about that technique. It usually takes less time to
sand the platters than it takes to open the drive and get the platters out.
Do wear a dust mask!

Old guy

Re: Hmm...

On 9 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
<1160441115.162699.303050@i3g2000cwc.googlegroups.com>, James wrote:

>So is it safer to say to never get rid of old hard drives no matter who
>owns them or what is on them that is considered sensitive to them?

As in my other reply - hard drives today are cheap - and if the data is
sensitive - destruction is the only way to go. Who knows, that all
important chink of data may be on one of those swapped out "bad sectors"
and _MAY_ be recoverable. Is the risk worth it? On the other hand,
are you sure the "bad guys" are after you - or would a NISPROM wipe
handle things? For Joe/Jane Average, the answer is probably yes. But
you would need to check for company policies (or more specifically,
government requirements) to make sure nothing _else_ is required.

>An how does this fit in with higher security systems like A or B class
>systems (Orange book referenced these)?

Orange Book (DoD Trusted Computer Systems Evaluation Criteria = DoD
5200.28-STD - December 1985) is _long_ dead, but the only classes I
recall related to orders of trust. I can't find my copy of the book, but
a reference I have (Computer Security Basics by Russell and Gangemi,
O'Reilly, 1991, ISBN 0-937175-71-4) says that it mentions "clearing disk
blocks when a file is scratched, or before being allocated", and "degaussing
magnetic tapes when no longer needed". I'm sure the actual Orange Book
had specifics, but the current standard is the NISPROM.

If the drive has/had officially classified material on it, discuss the
_requirements_ with the appropriate government representative. Do EXACTLY
what is required. If the drive was not officially classified, there
are companies that will handle the problem - everything from a NISPROM
wipe, up to slagging the drive and shredding the residue. In the Phoenix
Arizona (USA) yellow pages, there are five listings under "Computer
Recycling" and two of the five list "Certified Destruction" as an
available product/service. Several others in the "Compters - Service and
Repair" category also mention this service.

Old guy