lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F5CA8D7D1561B45A128D35DB86BA8F8027E6CC5@IOWAEVS03.iowa.uiowa.edu>
Date: Thu, 21 Jul 2005 17:45:21 -0500
From: "Earnhart, Benjamin J" <benjamin-earnhart@...wa.edu>
To: <focus-ms@...urityfocus.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Peter Gutmann data deletion theaory?


I agree with most of what you say, and the general idea is valid.  However, the specifics of 

> then a full reformat is quite enough to cause them to move on 
> to the next
> machine - they're not going to have the motivation or 
> equipment to delve
> into a randomly selected disk.

is a dangerously naïve approach.  With point-and-click easy to use freeware tools under windows, I can do almost 100% retrieval of files after a full reformat, and even after reloading the OS and using it for a while, the simple point-and-click freeware tools can retieve an awful lot of stuff.  And if I have the skills to use more powerful, complex tools, I can do even better, without needing a lot of money, time, or even strong motivation.

Even for a home user, I'd recommend using a program that securely deletes stuff by actively over-writing with multiple passes of random data (sdelete and DBAN are a couple of my favorites).  A format is *not* enough. Your general idea (that it depends on the motivation and resources available to the attacker) is good, just that your level of paranoia should maybe be turned up a notch :)

I'm not positive which Gutmann piece the OP was referring to, but if it's the one I'm thinking of, it's a bit dated -- his methods were briefly really popular as a shortcut to secure deletion, but if they're the ones I think he's referring to, then they don't work with more modern file systems, so simple random passes are better, though more costly to implement.    


> -----Original Message-----
> From: Jeremy Epstein [mailto:jeremy.epstein@...methods.com] 
> Sent: Thursday, July 21, 2005 2:01 PM
> To: Jared Johnson; focus-ms@...urityfocus.com
> Cc: bugtraq@...urityfocus.com
> Subject: RE: Peter Gutmann data deletion theaory?
> 
> Like anything in security, "it depends".  In particular, it 
> depends on what
> the assumed adversary motivations and capabilities are.  If 
> the adversary is
> a nation-state with electron microscopes and other expensive 
> devices, and
> the disk is believed to have held highly classified information, it's
> clearly true that the only way to destroy the data is to burn 
> the disk (and
> in the right way).  If, on the other hand, the adversary is 
> someone who's
> randomly buying used computers in hopes of finding carelessly 
> deleted files,
> then a full reformat is quite enough to cause them to move on 
> to the next
> machine - they're not going to have the motivation or 
> equipment to delve
> into a randomly selected disk.
> 
> Where in between these two extremes it's necessary to burn 
> the disk is an
> exercise left to the reader ;-)  You really have to do a risk 
> analysis... If
> it's cheaper / easier / less dangerous for the adversary to 
> dumpster dive to
> get hardcopies or bribe someone or hack into the system, then 
> destroying the
> hardware is putting the effort in the wrong place.  For a lot 
> of classified
> systems, the assumption is that obtaining used disks is a low 
> cost attack,
> so it's cost effective to use destruction.
> 
> --Jeremy
> 
> > -----Original Message-----
> > From: Jared Johnson [mailto:jaredsjazz@...oo.com] 
> > Sent: Wednesday, July 20, 2005 7:49 PM
> > To: focus-ms@...urityfocus.com
> > Cc: bugtraq@...urityfocus.com
> > Subject: Peter Gutmann data deletion theaory?
> > 
> > All,
> > 
> > Do you all agree with Peter Gutman's conclusion on his theory 
> > that data can never really be erased, as noted in his quote below:
> > 
> > "Data overwritten once or twice may be recovered by 
> > subtracting what is expected to be read from a storage 
> > location from what is actually read. Data which is 
> > overwritten an arbitrarily large number of times can still be 
> > recovered provided that the new data isn't written to the 
> > same location as the original data (for magnetic media), or 
> > that the recovery attempt is carried out fairly soon after 
> > the new data was written (for RAM). For this reason it is 
> > effectively impossible to sanitise storage locations by 
> > simple overwriting them, no matter how many overwrite passes 
> > are made or what data patterns are written. However by using 
> > the relatively simple methods presented in this paper the 
> > task of an attacker can be made significantly more difficult, 
> > if not prohibitively expensive."
> > 
> > It seems that the perhaps the only real way to rid your Hard 
> > Drives of data is to burn them. 
> > 
> > I'd love to hear some thoughts on this from security and data 
> > experts out there.
> > 
> > 
> > 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ