Re: Wiping hard drives - Re: debian-user-digest Digest V2011 #1704
On 20/09/11 05:24, D G Teed wrote:
> On Mon, Sep 19, 2011 at 3:08 PM, Lee Winter <firstname.lastname@example.org
> <mailto:email@example.com>> wrote:
> You also failed to consider the asymmetry between the possible
> outcomes once the "truth" becomes known. �If one-pass overwrite is
> sufficient, but one uses multiple passes, then one has lost a small
> increment of time. �If one pass overwrite is not sufficient and you
> use only one pass, then you have a disaster on your hands.
> The way to resolve uncertainty is not to guess or flip a coin. �It is
> to carefully evaluate the risk vs. cost tradeoff. �People who perform
> that evaluation tend to be conservative about assessing unknown
> potential risks against known, fixed, and minor costs.
> That is what I said. �I called it "better safe than sorry" rather
> than giving it a business speak spin.
> Paranoia is whole 'nother story. �I suspect you use the term for
> dramatic purposes rather than for the purpose of clarity. �It devalues
> all of your comments.
> I don't mean clinical paranoia. �Just political. �In other words,
> an overly cautious over reaction to the unknown capabilities
> of an adversary. �It is widely mentioned in history. �It is never
> realized at the time, but usually some decades later in hind sight.
> If the data is military or similar, it probably makes sense to
> terminate hard drives with prejudice, because capabilities could
> change in the future. � But for most people, DBAN is
> probably appropriate (if the drive still works, if not, try
> some power tools or hammer until the deformation is to
> your satisfaction).
I think there's already been a case where a "researcher" recovered data
from damaged drives (or was it CDs) and went on televison hawking their
"security/paranoia" tips. Everybody has something to hide (it's why we
have toilet doors and wear clothes even in warm weather).
> To make the flip side of your argument of "you don't know 'cause
> it would be a secret": if the NSA/FBI/CIA had no way to recover
> data from a simply wiped drive, would they let the public know?
It's very hard to tell what may be dangerous so time down the track (as
history shows). See Cardinal Cardinal Richelieu for some examples.
My preferred method for risk management is to try and determine how long
something is exposed (how long will that drive be a drive) and what is
the worst case scenario - then consider that only psychics can
accurately predict the unknown (I strongly suspect psychics are bull*).
Finally, what reasonable measures can be taken to prevent the known and
counter the unknown.
I use Dban and shred (stick them in an old machine and take as long as
it takes) - then disable the drive (pin in the breather hole), pliers on
the power connectors.
I don't think my personal information needs to be secure - but I don't
know about the future - I do think/know that if client information was
recovered by unscrupulous people (or publicity seeking academics) it
would impact on my business.
NOTE: I know of a local case where some people were caught recovering
data from hard drives looking for personal information (they were
prosecuted for blackmail) - they went to the local tip just after Xmas
and filled they're boot with scavenged hard drives. They were caught and
chased off by workers at the tip who gave the license plate to police.
Turned out they'd been doing it for sometime - kind of a side benefit to
their main business of selling second-hand computer parts.
"Always question authority, and demand the truth."
— Bill Hicks