Articles from August 2010



#036 Today In Technology History by:Amy Elk

08/31/10 “Kinetoscopes and Super Guppy”TiTH.TechJives.net by:Amy Elk
Keywords: amy elk podcast tech jives techjives techjives.net chris pope today in technology history amyelk.com voice actress
Feedburner RSS feed:
http://feeds.feedburner.com/tith

Securely disposing data on hard drives and other storage media

Date: August 31st, 2010
Author: Chad Perrin

Debates sometimes arise, both within academic circles and outside of them, over the necessity of high-intensity secure deletion techniques. Find out the true state of affairs for secure data disposal.

—————————————————————————————————————————————-
The state of the art of secure data disposal is, like that in most technical spheres of knowledge, always subject to change as researchers do their work. One might imagine that this involves new techniques for more effective data recovery that employs magnetic force microscopes and similarly high-cost solutions, countered by new advice for how to defeat such efforts when disposing of hard drives and other storage media.

One example of an impressive data recovery effort is that of the remains of hard drives from the Columbia space shuttle disaster, which ultimately led to the recovery of experimental data. Six months after the shuttle came apart on atmospheric reentry, a damaged hard drive was found in a dry lakebed and delivered to data recovery specialists at Kroll Ontrack Inc. Some time in the next four years or so, 99% of the data stored on the drive was recovered. The drive was eight years old before the shuttle disaster; it was delivered to the people who recovered the data from it looking like a melted down piece of slag and then damaged further during the recovery process — but recovery was a success.

On the other hand, two other drives involved in the shuttle disaster were complete losses.

There is a persistent myth to the effect that to securely delete everything from a hard drive one must overwrite it thirty-five times with random data. This myth arises from a superficial read and misunderstanding of Peter Gutmann’s 1996 paper, Secure Deletion of Data from Magnetic and Solid-State Memory. The truth of the matter, as presented in his paper, is that 35 random overwrites serves only to apply the necessary means of securely deleting data for any of several different drive technologies. A specific data storage technology only requires some lesser technique applied to ensure secure deletion.

Perhaps more interesting is the fact that, for the most modern hard drive technologies, a single complete overwrite of a drive with zeros should be sufficient. Part of the reason for this is the fact that data density on a drive is much greater than it used to be. In layman’s terms, “the bits are smaller”, which means that when rewriting, there is less room for old data to be left behind in a recoverable manner. A fair amount of redundancy of stored data occurred on older, lower density drives because the reading and writing devices were not as precise, and small deviations would leave random small areas unaffected on a single overwrite.

In a recent epilogue to his paper, Gutmann quoted himself responding to a researcher who considered doing some data testing:

Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging. OTOH if you’re going to use the mid-90s technology that I talked about, low-density MFM or (1,7) RLL, you could do it with the right equipment, but why bother? Others have already done it, and even if you reproduced it, you’d just have done something with technology that hasn’t been used for ten years. This is why I’ve never updated my paper (I’ve had a number of requests), there doesn’t seem to be much more to be said about the topic.

Recent papers by other researchers may seem to contradict Gutmann’s results. He does address some of this in his epilogues. Judging by both his epilogues and an independent look at reporting on such papers, it seems that such papers are in some cases misguided, and in others not contradictory of Gutmann’s results so much as relating to a specific technology that falls within the range of Gutmann’s more general overview.

While no single storage technology requires Gutmann’s described technique for dealing with all technologies, few of us have the time or inclination to double-check the specific technologies and the approaches required for each of them before tackling the task of secure data disposal. If you want to run a secure data disposal service where you expect to need to deal with many, many different storage devices regularly, it pays to know the specific techniques for specific technologies, and to apply them, if only because the time and resource costs for secure deletion will add up quickly. If you are a more typical user who just needs to get rid of a hard drive every couple years or so, the time spent keeping track of drive technologies and data disposal techniques is probably worth more to you than the time it takes a computer to perform Gutmann’s thirty-five overwrite “scorched earth” technique.

For more, visit TechRepublic.com

#035 Today In Technology History by: Amy Elk

08/30/10 “Space Shuttle Discovery”TiTH.TechJives.net by:Amy Elk
Keywords: amy elk podcast tech jives techjives techjives.net chris pope today in technology history amyelk.com voice actress
Feedburner RSS feed:
http://feeds.feedburner.com/tith

#034 Today In Technology History by: Amy Elk

08/28/10 “Bicycles and Motorcycles”TiTH.TechJives.net by:Amy Elk
Keywords: amy elk podcast tech jives techjives techjives.net chris pope today in technology history amyelk.com voice actress
Feedburner RSS feed:
http://feeds.feedburner.com/tith

#033 Today In Technology History by: Amy Elk

08/27/10 “Scientific American and Toyota”TiTH.TechJives.net by:Amy Elk
Keywords: amy elk podcast tech jives techjives techjives.net chris pope today in technology history amyelk.com voice actress
Feedburner RSS feed:
http://feeds.feedburner.com/tith

#032 Today In Technology History by:Amy Elk

08/27/10 “Mariner 2 and Rainbow Bridge”TiTH.TechJives.net by:Amy Elk
Keywords: amy elk podcast tech jives techjives techjives.net chris pope today in technology history amyelk.com voice actress
Feedburner RSS feed:
http://feeds.feedburner.com/tith

#031 Today In Technology History by:Amy Elk

08/26/10 “First Russian ICBM”TiTH.TechJives.net by:Amy Elk
Keywords: amy elk podcast tech jives techjives techjives.net chris pope today in technology history amyelk.com voice actress
Feedburner RSS feed:
http://feeds.feedburner.com/tith

Sticks and stones: Picking on users AND security pros

Nobody likes to get picked on. But is it sometimes necessary to snap people out of their apathetic approach to security?

By Bill Brenner, Senior Editor

August 25, 2010 — CSO

I took my share of name-calling as a kid. I did my share of name-calling, too. We’re taught that nothing good comes of such behavior. I’ve been thinking a lot about that since writing an article two weeks ago called “Security blunders ‘dumber than dog snot’” during the 2010 USENIX Security Symposium.

The story is based on a talk of the same title given by Roger G. Johnston, a member of the Vulnerability Assessment Team at Argonne National Laboratory. In the presentation, he gave examples of surprising (or not) examples of what he has seen as a vulnerability assessor: security devices, systems and programs with little or no security — or security thought — built in. There are the well-designed security products foolishly configured by those who buy them, thus causing more vulnerability than before the devices were installed.

Then there are the badly-thought-out security rules and security programs laden in security theater, lacking muscle and teeth. In fact, some policies only make some employees disgruntled because they are treated like fools. In turn, the company risks turning them into malicious insiders.

Also see “Ouch! Security pros’ worst mistakes

Johnston described three common problems: People forgetting to lock the door, people too stupid to be helped and — worst of all — intelligent people who don’t exploit their abilities for the betterment of security. Enter what he calls the dog snot model of security– where intelligence and common sense exist but are not used.

He came up with the term by watching his dogs, who often crash themselves against the picture window facing the yard when they want to go chase a squirrel. Hence, the windows are covered in dog snot. Executives and lower-level users are often like the dogs in that they bang their heads against the firewall (or their fingers against the keyboard) in an effort to get at a shiny object online. The security pros themselves can get caught up in this too, usually banging up against the glass by trying to prevent bad things from happening by repeating the same failed practices.

Moments after the story went live and appeared on Twitter, I got a message from Adam Shotack, co-author of “The New School of Information Security” and a security specialist at Microsoft.

“Is that attitude helpful? Does anyone respond better when you call them ‘dumber than dog snot?'” he asked.

For the rest, visit CSO Online.

#030 Today In Technology History by:Amy Elk

08/25/10 “Galileo and Voyager 2″TiTH.TechJives.net by:Amy Elk
Keywords: amy elk podcast tech jives techjives techjives.net chris pope today in technology history amyelk.com voice actress
Feedburner RSS feed:
http://feeds.feedburner.com/tith

#029 Today In Technology History by:Amy Elk

08/24/10 “Windows 95 and RFID”TiTH.TechJives.net by:Amy Elk
Keywords: amy elk podcast tech jives techjives techjives.net chris pope today in technology history amyelk.com voice actress
Feedburner RSS feed:
http://feeds.feedburner.com/tith