SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 08:08 AM
| ||||
| ||||
 Secure disk erasing I was looking at wiping a disk and found the following: http://blogs.zdnet.com/storage/?p=129 in particular Secure Erase http://cmrr.ucsd.edu/Hughes/SecureErase.html Which talks about using a function built into modern drives. from the readme: "It offers the option to run the drive internal secure erase command, security erase unit, based on the ATA specification by the T13 technical committee." Is this function available via OpenBSD? Cheers R.      |
|
02-16-2008, 08:08 AM
| |||
| |||
| Re: Secure disk erasing Ryoko wrote: > I was looking at wiping a disk and found the following: > http://blogs.zdnet.com/storage/?p=129 > > in particular Secure Erase > http://cmrr.ucsd.edu/Hughes/SecureErase.html > > Which talks about using a function built into modern drives. > > from the readme: > "It offers the option to run the drive internal secure erase command, > security erase unit, based on the ATA specification by the T13 technical > committee." > > Is this function available via OpenBSD? > Assuming that manufacturers support this function (at least some of the Secure Erase stuff is optional) most drives will ignore this function if the Freeze Lock command has been invoke. This is typically done by the system BIOS. Can host operating systems actually get access to these functions now? Note that this built-in Secure Erase functionality may not meet or exceed some levels of security, since the specification states that secure erase simply has to write binary zeros over the user data portions of the drive. -- clvrmnky <mailto:spamtrap@clevermonkey.org> Direct replies will be blacklisted. Replace "spamtrap" with my name to contact me directly. |
|
02-16-2008, 08:08 AM
| |||
| |||
| Re: Secure disk erasing On Tue, 10 Jul 2007 21:05:05 +0100 in <ryoko-nsp--D674AC.21050510072007@europe.isp.giganews.com> Ryoko <ryoko-nsp-@talk21.com> wrote: > I was looking at wiping a disk and found the following: > http://blogs.zdnet.com/storage/?p=129 > > in particular Secure Erase > http://cmrr.ucsd.edu/Hughes/SecureErase.html > > Which talks about using a function built into modern drives. > > from the readme: > "It offers the option to run the drive internal secure erase command, > security erase unit, based on the ATA specification by the T13 technical > committee." > > Is this function available via OpenBSD? If you truly need a secure erase, consider thermite followed by shredding the drive followed by running the pieces through a ball mill with ceramic ball media with the finale being to slowly spread the remains into a fast flowing river. Oh and to ratchet your paranoia another level... there are more law enforcement types than spook types on the ATA technical committees these days... -- Chris Dukes < elfick> willg: you can't use dell to beat people, it wouldn't stand up to the strain... much like attacking a tank with a wiffle bat |
|
02-16-2008, 08:08 AM
| |||
| |||
| Re: Secure disk erasing ? wrote: > On Tue, 10 Jul 2007 21:05:05 +0100 in <ryoko-nsp--D674AC.21050510072007@europe.isp.giganews.com> Ryoko <ryoko-nsp-@talk21.com> wrote: >> I was looking at wiping a disk and found the following: >> http://blogs.zdnet.com/storage/?p=129 >> >> in particular Secure Erase >> http://cmrr.ucsd.edu/Hughes/SecureErase.html >> >> Which talks about using a function built into modern drives. >> >> from the readme: >> "It offers the option to run the drive internal secure erase command, >> security erase unit, based on the ATA specification by the T13 technical >> committee." >> >> Is this function available via OpenBSD? > > If you truly need a secure erase, consider thermite > followed by shredding the drive followed by running the > pieces through a ball mill with ceramic ball media > with the finale being to slowly spread the remains > into a fast flowing river. > Or, we can make Good Enough security easy to access when discarding old media. Most of us do not need to protect ourselves against the techniques affordable only to countries. Taking reasonable steps to keep private data from getting into the wrong hands is not paranoia. It's sensible. -- clvrmnky <mailto:spamtrap@clevermonkey.org> Direct replies will be blacklisted. Replace "spamtrap" with my name to contact me directly. |
|
02-16-2008, 08:08 AM
| |||
| |||
| Re: Secure disk erasing Ryoko <ryoko-nsp-@talk21.com> wrote: > I was looking at wiping a disk and found the following: > http://blogs.zdnet.com/storage/?p=129 > > in particular Secure Erase > http://cmrr.ucsd.edu/Hughes/SecureErase.html > > Which talks about using a function built into modern drives. > > from the readme: > "It offers the option to run the drive internal secure erase command, > security erase unit, based on the ATA specification by the T13 technical > committee." > > Is this function available via OpenBSD? No. Unless you have very rich and persistent enemies, just zeroing the drive works fine; if you do have such enemies, consider just dd'ing from /dev/arandom a couple of times. Or, better yet,physically distructing the drive as suggested before. Joachim |
|
02-16-2008, 08:08 AM
| |||
| |||
| Re: Secure disk erasing On 11 Jul 2007 14:58:50 GMT in <4694f02a$0$89003$dbd4f001@news.wanadoo.nl> Joachim Schipper <jdNoOtSPAMschipper@math.uu.nl> wrote: > Ryoko <ryoko-nsp-@talk21.com> wrote: >> I was looking at wiping a disk and found the following: >> http://blogs.zdnet.com/storage/?p=129 >> >> in particular Secure Erase >> http://cmrr.ucsd.edu/Hughes/SecureErase.html >> >> Which talks about using a function built into modern drives. >> >> from the readme: >> "It offers the option to run the drive internal secure erase command, >> security erase unit, based on the ATA specification by the T13 technical >> committee." >> >> Is this function available via OpenBSD? > > No. Unless you have very rich and persistent enemies, just zeroing the > drive works fine; if you do have such enemies, consider just dd'ing from > /dev/arandom a couple of times. Or, better yet,physically distructing > the drive as suggested before. If you think you'll end up wiping a drive by zeroing or random data wipe it with random data a few times before putting the real data on for the first time. -- Chris Dukes < elfick> willg: you can't use dell to beat people, it wouldn't stand up to the strain... much like attacking a tank with a wiffle bat |
|
02-16-2008, 08:08 AM
| |||
| |||
| Re: Secure disk erasing On Wed, 11 Jul 2007 15:26:29 +0000, ? wrote: > On 11 Jul 2007 14:58:50 GMT in <4694f02a$0$89003$dbd4f001@news.wanadoo.nl> Joachim Schipper <jdNoOtSPAMschipper@math.uu.nl> wrote: >> Ryoko <ryoko-nsp-@talk21.com> wrote: >>> I was looking at wiping a disk and found the following: >>> http://blogs.zdnet.com/storage/?p=129 >>> >>> in particular Secure Erase >>> http://cmrr.ucsd.edu/Hughes/SecureErase.html >>> >>> Which talks about using a function built into modern drives. >>> >>> from the readme: >>> "It offers the option to run the drive internal secure erase command, >>> security erase unit, based on the ATA specification by the T13 technical >>> committee." >>> >>> Is this function available via OpenBSD? >> >> No. Unless you have very rich and persistent enemies, just zeroing the >> drive works fine; if you do have such enemies, consider just dd'ing from >> /dev/arandom a couple of times. Or, better yet,physically distructing >> the drive as suggested before. > > If you think you'll end up wiping a drive by zeroing or random data > wipe it with random data a few times before putting the real data on for > the first time. To kick in a suggestion, DBAN (Darik's Boot And Nuke - googleable) can be slow, but claims to be effective against most reasonable attempts to recover data. Note that erasing a disk pretty much mandates not running an OS off it at the same time.... |
|
02-16-2008, 08:08 AM
| |||
| |||
| Re: Secure disk erasing msm <msm@domain.invalid> wrote: > To kick in a suggestion, DBAN (Darik's Boot And Nuke - googleable) can be > slow, but claims to be effective against most reasonable attempts to > recover data. I've heard that recommended before. > Note that erasing a disk pretty much mandates not running an OS off it at > the same time.... Why? This is UNIX; it will run just fine [1] if the machine it is on suddenly goes diskless. Just compile yourself a program that writes random data into whatever file is named on the command line, repeats this a couple of times, and then zeroes the drive for good measure, and run it. Of course, you'll want to shut down by turning off the computer. Joachim [1] As long as you don't access the disk, do not need swap, etc, at least. But that's not too difficult to arrange on a quiet system. |
|
02-16-2008, 08:08 AM
| |||
| |||
| Re: Secure disk erasing On Wed, 11 Jul 2007 16:52:36 +0000, Joachim Schipper wrote: > msm <msm@domain.invalid> wrote: >> To kick in a suggestion, DBAN (Darik's Boot And Nuke - googleable) can be >> slow, but claims to be effective against most reasonable attempts to >> recover data. > > I've heard that recommended before. I've used it before myself. The caveats are that (a) it can take long time, especially if you configure it for the recommended 17 or more erasure passes, and (b) very few people have the technology to verify whether the disk is sufficiently erased - mostly the people who do are the people one is trying to keep from the data in the first place. >> Note that erasing a disk pretty much mandates not running an OS off it at >> the same time.... > > Why? This is UNIX; it will run just fine [1] if the machine it is on > suddenly goes diskless. Fair enough. > Just compile yourself a program that writes > random data into whatever file is named on the command line, repeats > this a couple of times, and then zeroes the drive for good measure, and > run it. If you were feeling devious, you might then install a fresh OS and populate the system with copious logfiles and some totally uninteresting data and user accounts. > Of course, you'll want to shut down by turning off the computer. ;-) > [1] As long as you don't access the disk, do not need swap, etc, at > least. But that's not too difficult to arrange on a quiet system. True. It may still be easiest to do the erase from a liveCD of some sort. |
|
02-16-2008, 08:08 AM
| ||||
| ||||
| Re: Secure disk erasing msm wrote: > On Wed, 11 Jul 2007 16:52:36 +0000, Joachim Schipper wrote: > >> msm <msm@domain.invalid> wrote: >>> To kick in a suggestion, DBAN (Darik's Boot And Nuke - googleable) can be >>> slow, but claims to be effective against most reasonable attempts to >>> recover data. >> I've heard that recommended before. > > I've used it before myself. The caveats are that (a) it can take long > time, especially if you configure it for the recommended 17 or more > erasure passes, and (b) very few people have the technology to verify > whether the disk is sufficiently erased - mostly the people who do are the > people one is trying to keep from the data in the first place. > I've used DBAN myself as well and it takes a long time, depending mostly on the size, and a little on the RPM speed of the hard drive. However, if using enough passes and DOD compliant procedures, it will totally erase the drive. I asked this question on a form a few days ago: has anyone ever recovered data from a drive after it has been DBANed or Secure Erased. And the answer was; the people that may/are able to, probably won't tell... So if you want to reuse the drive and the adversary is not "big government/corporation" you are probably safe using DBAN or secure eraser. If your adversary is that well funded, presumably you will have enough planning and resources to afford another hard drive and physically destroy the one in danger. David >>> Note that erasing a disk pretty much mandates not running an OS off it at >>> the same time.... >> Why? This is UNIX; it will run just fine [1] if the machine it is on >> suddenly goes diskless. > > Fair enough. > >> Just compile yourself a program that writes >> random data into whatever file is named on the command line, repeats >> this a couple of times, and then zeroes the drive for good measure, and >> run it. > > If you were feeling devious, you might then install a fresh OS and > populate the system with copious logfiles and some totally uninteresting > data and user accounts. > >> Of course, you'll want to shut down by turning off the computer. > > ;-) > >> [1] As long as you don't access the disk, do not need swap, etc, at >> least. But that's not too difficult to arrange on a quiet system. > > True. It may still be easiest to do the erase from a liveCD of some sort. |
Linear Mode
