Secure erasing Info (fwd from richard@SCL.UTAH.EDU)
----- Forwarded message from Richard Glaser <richard@SCL.UTAH.EDU> -----
yes, this reminded me of another brilliant idea. Why don't some cars have a little tiny furnace for stash destruction? If you've got an on-board stash and some Alabama hillbilly with a badge pulls you over, you just hit the button and have you're little stashed incinerated. Who cares if the badge knows you USED TO have something on board? Too late now if any trace of evidence is gone. What's wrong with this idea? -TD
From: Eugen Leitl <eugen@leitl.org> To: cypherpunks@al-qaeda.net Subject: Secure erasing Info (fwd from richard@SCL.UTAH.EDU) Date: Sat, 30 Apr 2005 19:49:56 +0200
----- Forwarded message from Richard Glaser <richard@SCL.UTAH.EDU> -----
From: Richard Glaser <richard@SCL.UTAH.EDU> Date: Wed, 27 Apr 2005 12:17:43 -0600 To: MACENTERPRISE@LISTSERV.CUNY.EDU Subject: Secure erasing Info Reply-To: Mac OS X enterprise deployment project <MACENTERPRISE@LISTSERV.CUNY.EDU>
FYI:
Rendering Drives Completely Unreadable Can be Difficult -------------------------------------------------------
The National Association for Information Destruction has said it cannot endorse the use of wiping applications alone for ensuring that data have been effectively removed from hard drives. NAID executive director Bob Johnson said the only way to ensure that the data will be unreadable is to physically destroy the drives, and even that has to be done in certain ways to ensure its efficacy. Most major PC makers offer a drive destruction service for $20 or $30. Some hardware engineers say they understand why the drives have been created in a way that makes it hard to completely erase the data: customers demanded it because they were afraid of losing information they had stored on their drives. http://news.com.com/2102-1029_3-5676995.html?tag=st.util.print [Editor's Note (Pescatore): Cool, I want a "National Association for Information Destruction" tee shirt. How hard could it be to have an interlock feature - you can really, really clear the drive if you open the case, hold this button down while you delete?
(Ranum): Peter Guttman, from New Zealand, did a terrific talk in 1997 at USENIX in which he showed electromicrographs of hard disk surfaces that had been "wiped" - you could still clearly see the 1s and 0s where the heads failed to line up perfectly on the track during the write/erase sequence. He also pointed out that you can tell more recently written data from less recently written data by the field strength in the area, which would actually make it much easier to tell what had been "wiped" versus what was persistent long-term store. The paper, minus the cool photos may be found at: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Hard disks, I've found, make satisfying small arms targets.]
Here is Mac OS X software called "SPX" that uses the "Guttman" method of securely deleting data off a hard disk. If you want to donate old HD's this might be the best method for protecting your data that was on the HD other than physically destroying the HD's.
http://rixstep.com/4/0/spx/ --
Thanks:
Richard Glaser University of Utah - Student Computing Labs richard@scl.utah.edu 801-585-8016
_____________________________________________________ Subscription Options and Archives http://listserv.cuny.edu/archives/macenterprise.html
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Thus spake Tyler Durden (camera_lumina@hotmail.com) [02/05/05 10:18]: : yes, this reminded me of another brilliant idea. : : Why don't some cars have a little tiny furnace for stash destruction? : : If you've got an on-board stash and some Alabama hillbilly with a badge : pulls you over, you just hit the button and have you're little stashed : incinerated. Who cares if the badge knows you USED TO have something on : board? Too late now if any trace of evidence is gone. : : What's wrong with this idea? The government would never let it fly?
Congratulations, you just turned your vehicle into "drug paraphenalia" What? You claim it is Not for drugs? Tell this to the judge. -----Original Message----- From: owner-cypherpunks@minder.net [mailto:owner-cypherpunks@minder.net] On Behalf Of Tyler Durden Sent: May 2, 2005 10:14 AM To: eugen@leitl.org; cypherpunks@al-qaeda.net Subject: Stash Burn? yes, this reminded me of another brilliant idea. Why don't some cars have a little tiny furnace for stash destruction? If you've got an on-board stash and some Alabama hillbilly with a badge pulls you over, you just hit the button and have you're little stashed incinerated. Who cares if the badge knows you USED TO have something on board? Too late now if any trace of evidence is gone. What's wrong with this idea? -TD
From: Eugen Leitl <eugen@leitl.org> To: cypherpunks@al-qaeda.net Subject: Secure erasing Info (fwd from richard@SCL.UTAH.EDU) Date: Sat, 30 Apr 2005 19:49:56 +0200
----- Forwarded message from Richard Glaser <richard@SCL.UTAH.EDU> -----
From: Richard Glaser <richard@SCL.UTAH.EDU> Date: Wed, 27 Apr 2005 12:17:43 -0600 To: MACENTERPRISE@LISTSERV.CUNY.EDU Subject: Secure erasing Info Reply-To: Mac OS X enterprise deployment project <MACENTERPRISE@LISTSERV.CUNY.EDU>
FYI:
Rendering Drives Completely Unreadable Can be Difficult -------------------------------------------------------
The National Association for Information Destruction has said it cannot endorse the use of wiping applications alone for ensuring that data have been effectively removed from hard drives. NAID executive director Bob Johnson said the only way to ensure that the data will be unreadable is to physically destroy the drives, and even that has to be done in certain ways to ensure its efficacy. Most major PC makers offer a drive destruction service for $20 or $30. Some hardware engineers say they understand why the drives have been created in a way that makes it hard to completely erase the data: customers demanded it because they were afraid of losing information they had stored on their drives. http://news.com.com/2102-1029_3-5676995.html?tag=st.util.print [Editor's Note (Pescatore): Cool, I want a "National Association for Information Destruction" tee shirt. How hard could it be to have an interlock feature - you can really, really clear the drive if you open the case, hold this button down while you delete?
(Ranum): Peter Guttman, from New Zealand, did a terrific talk in 1997 at USENIX in which he showed electromicrographs of hard disk surfaces that had been "wiped" - you could still clearly see the 1s and 0s where the heads failed to line up perfectly on the track during the write/erase sequence. He also pointed out that you can tell more recently written data from less recently written data by the field strength in the area, which would actually make it much easier to tell what had been "wiped" versus what was persistent long-term store. The paper, minus the cool photos may be found at: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Hard disks, I've found, make satisfying small arms targets.]
Here is Mac OS X software called "SPX" that uses the "Guttman" method of securely deleting data off a hard disk. If you want to donate old HD's this might be the best method for protecting your data that was on the HD other than physically destroying the HD's.
http://rixstep.com/4/0/spx/ --
Thanks:
Richard Glaser University of Utah - Student Computing Labs richard@scl.utah.edu 801-585-8016
_____________________________________________________ Subscription Options and Archives http://listserv.cuny.edu/archives/macenterprise.html
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]
There's laws against destroying evidence, interfering with an officer, interfering with an investigation, etc. If they can prove that you had it and destroyed it, now they can charge you with two crimes instead of just one. (I think I heard once that someone was charged with destroying evidence for taking batteries out of a device when he was arrested hoping to wipe its memory). - Eric Tyler Durden wrote:
yes, this reminded me of another brilliant idea.
Why don't some cars have a little tiny furnace for stash destruction?
If you've got an on-board stash and some Alabama hillbilly with a badge pulls you over, you just hit the button and have you're little stashed incinerated. Who cares if the badge knows you USED TO have something on board? Too late now if any trace of evidence is gone.
What's wrong with this idea?
-TD
From: Eugen Leitl <eugen@leitl.org> To: cypherpunks@al-qaeda.net Subject: Secure erasing Info (fwd from richard@SCL.UTAH.EDU) Date: Sat, 30 Apr 2005 19:49:56 +0200
----- Forwarded message from Richard Glaser <richard@SCL.UTAH.EDU> -----
From: Richard Glaser <richard@SCL.UTAH.EDU> Date: Wed, 27 Apr 2005 12:17:43 -0600 To: MACENTERPRISE@LISTSERV.CUNY.EDU Subject: Secure erasing Info Reply-To: Mac OS X enterprise deployment project <MACENTERPRISE@LISTSERV.CUNY.EDU>
FYI:
Rendering Drives Completely Unreadable Can be Difficult -------------------------------------------------------
The National Association for Information Destruction has said it cannot endorse the use of wiping applications alone for ensuring that data have been effectively removed from hard drives. NAID executive director Bob Johnson said the only way to ensure that the data will be unreadable is to physically destroy the drives, and even that has to be done in certain ways to ensure its efficacy. Most major PC makers offer a drive destruction service for $20 or $30. Some hardware engineers say they understand why the drives have been created in a way that makes it hard to completely erase the data: customers demanded it because they were afraid of losing information they had stored on their drives. http://news.com.com/2102-1029_3-5676995.html?tag=st.util.print [Editor's Note (Pescatore): Cool, I want a "National Association for Information Destruction" tee shirt. How hard could it be to have an interlock feature - you can really, really clear the drive if you open the case, hold this button down while you delete?
(Ranum): Peter Guttman, from New Zealand, did a terrific talk in 1997 at USENIX in which he showed electromicrographs of hard disk surfaces that had been "wiped" - you could still clearly see the 1s and 0s where the heads failed to line up perfectly on the track during the write/erase sequence. He also pointed out that you can tell more recently written data from less recently written data by the field strength in the area, which would actually make it much easier to tell what had been "wiped" versus what was persistent long-term store. The paper, minus the cool photos may be found at: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Hard disks, I've found, make satisfying small arms targets.]
Here is Mac OS X software called "SPX" that uses the "Guttman" method of securely deleting data off a hard disk. If you want to donate old HD's this might be the best method for protecting your data that was on the HD other than physically destroying the HD's.
http://rixstep.com/4/0/spx/ --
Thanks:
Richard Glaser University of Utah - Student Computing Labs richard@scl.utah.edu 801-585-8016
_____________________________________________________ Subscription Options and Archives http://listserv.cuny.edu/archives/macenterprise.html
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
On Mon, 2 May 2005, Tyler Durden wrote:
yes, this reminded me of another brilliant idea.
Why don't some cars have a little tiny furnace for stash destruction?
If you've got an on-board stash and some Alabama hillbilly with a badge pulls you over, you just hit the button and have you're little stashed incinerated. Who cares if the badge knows you USED TO have something on board? Too late now if any trace of evidence is gone.
What's wrong with this idea?
Let's focus on the technical realization first. How to annihilate a sizable chunk of matter without leaving even minute traces of it? We should keep in mind that contemporary forensic detection/analysis technologies are pretty damn sensitive. We also shouldn't forget that burning the substance releases a considerable amount of energy, and takes time - at least several seconds. Soaking it with liquid oxygen could dramatically reduce the burning time, and lead to total oxidation to CO2/H2O/SO2/NO2/P2O5, but it also bears certain risk of explosion, and LOX does not belong between user-friendly substances as well. The method also should not provide any hard evidence about when the incinerator was last used, in order to make it difficult to prove the exact moment of its deployment. This sharply collides with the requirement to dump the waste heat, as the unit will be pretty hot for some time after initiation, even if it will be directly connected to the car's heatsink.
Yes, I think those are the essential questions. Admittedly it would normally be quite difficult to eliminate any detectable trace...I'm assuming that a huge blast of heat should do it. Cooling can be done by liquid, for instance. The liquid could be programmed to flush at certain random intervals to cover correlation between operation and smokey interest. (But this probably eliminates dual-use arguments.) Assuming it's doable then I'm as yet uncertain about the legal ramifications. Say the smokey's are stopping you for something "routine" and you burn your stash right there. Do they have the legal right to even mention the disposal operation? And if they do, is there any legal way to state what substance was destroyed? Perhaps it was pot (as opposed to something harder), or moonshine, or even some designer drug that's not yet technically illegal? -TD
From: Thomas Shaddack <shaddack@ns.arachne.cz> To: Tyler Durden <camera_lumina@hotmail.com> CC: eugen@leitl.org, cypherpunks@al-qaeda.net Subject: Re: Stash Burn? Date: Mon, 2 May 2005 20:29:13 +0200 (CEST)
On Mon, 2 May 2005, Tyler Durden wrote:
yes, this reminded me of another brilliant idea.
Why don't some cars have a little tiny furnace for stash destruction?
If you've got an on-board stash and some Alabama hillbilly with a badge pulls you over, you just hit the button and have you're little stashed incinerated. Who cares if the badge knows you USED TO have something on board? Too late now if any trace of evidence is gone.
What's wrong with this idea?
Let's focus on the technical realization first. How to annihilate a sizable chunk of matter without leaving even minute traces of it? We should keep in mind that contemporary forensic detection/analysis technologies are pretty damn sensitive.
We also shouldn't forget that burning the substance releases a considerable amount of energy, and takes time - at least several seconds. Soaking it with liquid oxygen could dramatically reduce the burning time, and lead to total oxidation to CO2/H2O/SO2/NO2/P2O5, but it also bears certain risk of explosion, and LOX does not belong between user-friendly substances as well.
The method also should not provide any hard evidence about when the incinerator was last used, in order to make it difficult to prove the exact moment of its deployment. This sharply collides with the requirement to dump the waste heat, as the unit will be pretty hot for some time after initiation, even if it will be directly connected to the car's heatsink.
On 2005-05-02T10:13:50-0400, Tyler Durden wrote:
yes, this reminded me of another brilliant idea.
Why don't some cars have a little tiny furnace for stash destruction? If you've got an on-board stash and some Alabama hillbilly with a badge pulls you over, you just hit the button and have you're little stashed incinerated. Who cares if the badge knows you USED TO have something on board? Too late now if any trace of evidence is gone.
What's wrong with this idea?
That's rather complicated and unlikely to succeed. A more practical solution would be a pod that can be jettisoned. Dark-colored or camo, rock-like, and indestructable for later retrieval. No cop would notice such a thing fired directly forward after he's pulled in behind you and lighted you up. Add a radio beacon for easy location after the cop has departed.
Hum. Well, me I personally like the piss-off factor: the cops KNOW you had something, which is bad enough. And then, they KNOW you destroyed it. But most importantly, they know you know they know, but you don't give a crap. A flagrant touting of their authority. If they don't beat you to death, it'll be very satisfying. The pod jettison idea is interesting, but I'm sceptical: Those guys are always on the lookout for something being chucked out of a car getting pulled over, but if it were jettisoned straight out the front it might work. -TD
From: Justin <justin-cypherpunks@soze.net> To: cypherpunks@al-qaeda.net Subject: Re: Stash Burn? Date: Mon, 2 May 2005 19:23:08 +0000
On 2005-05-02T10:13:50-0400, Tyler Durden wrote:
yes, this reminded me of another brilliant idea.
Why don't some cars have a little tiny furnace for stash destruction? If you've got an on-board stash and some Alabama hillbilly with a badge pulls you over, you just hit the button and have you're little stashed incinerated. Who cares if the badge knows you USED TO have something on board? Too late now if any trace of evidence is gone.
What's wrong with this idea?
That's rather complicated and unlikely to succeed. A more practical solution would be a pod that can be jettisoned. Dark-colored or camo, rock-like, and indestructable for later retrieval. No cop would notice such a thing fired directly forward after he's pulled in behind you and lighted you up.
Add a radio beacon for easy location after the cop has departed.
Yeah, but these days, I'd go with the largest flash drive I could afford. USB2 or otherwise. I don't believe you can recover data from these once you actually overwrite the bits (anyone out there know any different?). They're either 1 or 0, there's no extra ferrite molecules to the left or the right of the track to pick up a signal from ;-) As always encrypt the data you write to the device. I wouldn't overwrite flash repeatedly (i.e. the Guttman method of 35 writes) though, there's a limit on the number of writes, after which it goes bad. I'd overwrite it once with random data. Eugen Leitl wrote:
----- Forwarded message from Richard Glaser <richard@SCL.UTAH.EDU> -----
From: Richard Glaser <richard@SCL.UTAH.EDU> Date: Wed, 27 Apr 2005 12:17:43 -0600 To: MACENTERPRISE@LISTSERV.CUNY.EDU Subject: Secure erasing Info Reply-To: Mac OS X enterprise deployment project <MACENTERPRISE@LISTSERV.CUNY.EDU>
FYI:
Rendering Drives Completely Unreadable Can be Difficult -------------------------------------------------------
On Mon, 2 May 2005, sunder wrote:
Yeah, but these days, I'd go with the largest flash drive I could afford. USB2 or otherwise. I don't believe you can recover data from these once you actually overwrite the bits (anyone out there know any different?).
There are lots of pitfalls in secure erasure, even without considering physical media attacks. Your filesystem may not overwrite data on the same blocks used to write the data originally, for instance. Plaintext may be left in the journal and elsewhere. Even filling up the disk may not do it, as some filesystems keep blocks in reserve. I did a demo a few years ago where I wrote plaintext, overwrote, then dumped the filesystem blocks out and found parts of the plaintext. For anybody who hasn't read it, the Gutmann paper is "Secure Deletion of Data from Magnetic and Solid-State Memory", and is highly recommended. He shows that even RAM isn't safe against physical media attacks. -J
Jason Holt wrote:
There are lots of pitfalls in secure erasure, even without considering physical media attacks. Your filesystem may not overwrite data on the same blocks used to write the data originally, for instance. Plaintext may be left in the journal and elsewhere. Even filling up the disk may not do it, as some filesystems keep blocks in reserve. I did a demo a few years ago where I wrote plaintext, overwrote, then dumped the filesystem blocks out and found parts of the plaintext.
For anybody who hasn't read it, the Gutmann paper is "Secure Deletion of Data from Magnetic and Solid-State Memory", and is highly recommended. He shows that even RAM isn't safe against physical media attacks.
Incase anyone's too lazy to google it, Peter Gutmann's paper can be found here: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Good point. So, modify that with - create a block-level encrypted file system on the flash drive, so long as you key and passphrase are good, you should be safe enough... I've also seen this little toy: http://www.biostik.com/ a bit pricey, but depending on your threat model, might add another layer of protection. Not something I'd personally bother with - esp with the recent stuff about how to make fake fingerprints, etc (funny thing is that your fingerprints will be on the case of this thing, so not much security there), but YMMV based on your threat model, right? But, as always, encrypt early and often. :-D Would make an interesting side conversation about how fingerprints are passwords, but passwords that can (now?) be easily stolen and replayed. IMHO, it casts doubt on a lot of biometric methods. Wonder if it would be possible to create an image of an iris that would pass an iris scan, if so, both fingerprints and irises become much like permanent credit cards, but worse, which once duplicated, cannot be revoked. One can imagine in the future once ATM's have iris scanners, that some evil group will set up a fake ATM with a very good CCD camera setup to capture irises as well as ATM cards and pin #'s... and, why not, also finger prints if future ATM's use such scanners.
participants (9)
-
Damian Gerow -
Eric Tully -
Eugen Leitl -
Jason Holt -
Justin -
R.W. (Bob) Erickson -
sunder -
Thomas Shaddack -
Tyler Durden