What we need is encrypted distributed file systems ala Plan 9. http://plan9.bell-labs.com http://www.vitanuova.com ____________________________________________________________________ Before a larger group can see the virtue of an idea, a smaller group must first understand it. "Stranger Suns" George Zebrowski The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- -------------------------------------------------------------------- On Tue, 20 Feb 2001, Ray Dillinger wrote:
On Mon, 19 Feb 2001, David Honig wrote:
At 11:38 AM 2/19/01 -0800, Ray Dillinger wrote:
The problem is that data that's been written over once, or even twice or ten times, can often still be read if someone actually takes the platters out and uses electromagnetic microscopy on them.
Really? You think the fed specs on secure wiping are disinfo?
Disinformation is such an ugly word... and the published fed specs on secure wiping apply to not-very-sensitive data. For highly sensitive data, most secure wipe specs are classified, or, as someone else here pointed out, involve physical destruction of the drive.
I think this is probably one of the biggest gaps remaining in system security. If you are careful, you can use BSD and GPG etc to build a quite secure box - but if sensitive plaintexts are ever stored on the drive, even if they are overwritten, then when a data thief willing to spend enough bucks gets the drive, you lose.
At the very least, we need browsers that don't store their caches, cookies, or history files in cleartext.
We need mail programs that never EVER write the cleartext to the disk.
We need newsreaders that don't store the articles in cleartext, or for that matter the list of newsgroups that someone is subscribed to.
We need editors that don't put cleartext on the disk when you hit the "save" command.
This is basic stuff, fundamental. Hardware theft is a threat model that's been far too often ignored in the design of secure systems. Why bother to build a good cipher if you leave the plaintext lying around where it can be stolen?
Bear