Bugtraq mailing list archives
Putting the "NSA Data Overwrite Standard" Legend to Death...
From: "Jonathan G. Lampe" <jonathan () stdnet com>
Date: Tue, 04 Feb 2003 10:57:09 -0600
OK, I'm sure this one will start a flame war, but...I work for a vendor whose products overwrite files when "deleting" them as a way of protecting old data. Lately several customers have been asking for "NSA" or "DoD" standard overwrites, usually with a value of 3, 7 or 9. (Our response to the feature was to more or less let the owner of the product pick the number of overwrites; the obvious tradeoff is morewrites=slowerdisk.)
Anyway, while researching how we wanted to document recommended values for the overwrite feature, I looked into the "DoD" and "NSA" standards.
I was not surprised to see that a "DoD standard" DOES exist: Government name: DoD 5220.22-M A nice summary: http://www.zdelete.com/dod.htm (not my product) Some original documents: http://www.dss.mil/isec/nispom.htmLong story short: 1 overwrite = CLEAR, 3 overwrites = SANITIZED (non-removable rigid disk)
I was surprised, however, to learn that a "NSA standard" DOES NOT exist.I did the usual Google searches and came up with nothing but various sites and postings claiming the standard was anything from 5 to 20 overwrites. Then I called the NSA (1-800-688-6115 - http://www.nsa.gov/isso). The first person I chatted with passed on the question, but the second answered the question in no uncertain terms - NSA is aware of DoD 5220.22-M and DOES NOT have a separate recommendation.
So...could this finally be the end of IT employees casually tossing around the "NSA overwrite standard" - or is there something I'm missing?
Second, where did the number 7 really come from? (It seems to be the leading recommendation out there right now for number of overwrites and is frequently attributed to the NSA.)
- Jonathan Lampe, GCIA, GSNA- jonathan.lampe () stdnet com
Current thread:
- Putting the "NSA Data Overwrite Standard" Legend to Death... Jonathan G. Lampe (Feb 04)
- Re: Putting the "NSA Data Overwrite Standard" Legend to Death... Simple Nomad (Feb 04)
- Re: Putting the "NSA Data Overwrite Standard" Legend to Death... Brian Hatch (Feb 04)
- Re: Putting the "NSA Data Overwrite Standard" Legend to Death... Kurt Seifried (Feb 04)
- Re: Putting the "NSA Data Overwrite Standard" Legend to Death... Brian Hatch (Feb 04)
- Re: Putting the "NSA Data Overwrite Standard" Legend to Death... Stephen D. B. Wolthusen (Feb 04)
- Re: Putting the "NSA Data Overwrite Standard" Legend to Death... Simple Nomad (Feb 04)