Secure Erasing is actually harder than that...

[Ray Dillinger]

On Mon, 19 Feb 2001, David Honig wrote:

>At 11:38 AM 2/19/01 -0800, Ray Dillinger wrote:
>>The problem is that data that's been written over once, or even 
>>twice or ten times, can often still be read if someone actually 
>>takes the platters out and uses electromagnetic microscopy on 
>>them. 
>
>Really?  You think the fed specs on secure wiping are disinfo?

Disinformation is such an ugly word...  and the published fed 
specs on secure wiping apply to not-very-sensitive data.  For 
highly sensitive data, most secure wipe specs are classified, 
or, as someone else here pointed out, involve physical destruction 
of the drive. 

I think this is probably one of the biggest gaps remaining in 
system security.  If you are careful, you can use BSD and GPG 
etc to build a quite secure box - but if sensitive plaintexts 
are ever stored on the drive, even if they are overwritten, 
then when a data thief willing to spend enough bucks gets the 
drive, you lose.

At the very least, we need browsers that don't store their caches, 
cookies, or history files in cleartext.

We need mail programs that never EVER write the cleartext to the 
disk.

We need newsreaders that don't store the articles in cleartext, 
or for that matter the list of newsgroups that someone is subscribed 
to.

We need editors that don't put cleartext on the disk when you 
hit the "save" command.

This is basic stuff, fundamental.  Hardware theft is a threat model 
that's been far too often ignored in the design of secure systems. 
Why bother to build a good cipher if you leave the plaintext lying 
around where it can be stolen?

				Bear