RE: Interesting One

["Rodney, John" <John.Rodney () Marconi com>]

-----Original Message-----
From: ATD [mailto:simon () snosoft com]
Sent: Wednesday, October 30, 2002 6:08 PM
To: Carol Stone
Cc: security-basics () securityfocus com
Subject: Re: Interesting One

I have heard similar claims from "agencies" about the ability to recover
data after multiple re-writes. I also happen to know that several of
these "agencies" when doing drive disposal, literally drill holes in
their drives then incinerate them. That is after they wipe the drive
clean several times. I'd assume that there is a reason for such
paranoia, wouldn't you?  Or do you think they are just playing it super
safe?

**************************************************************************

I would go for poor judgment.  What is the point of taking the time to wipe
the drive several times, and then physically damaging it, before you melt
it!  That certainly sounds like overkill to me, or someone misinterpreting
and blending several requirements together.  Why not just melt it?  Aren't
the end results the same?

But having been in the DOD at one point and dealing with some of these and
similar regs/stds it does not surprise me.  Anyone ever hear of Tempesting
or the requirement to keep cabling (non-optic) for various levels of
classified LANs a certain distance (3 feet?) apart because of bleed over?
How many people have escorted someone else carrying a bag of shredded 5 and
1/2 floppies to an incinerator?  (These are sort of 'rhetorical', no answers
needed. I am not looking to change the subject or get any responses to these
or any other questions I posed in this reply)

Years ago to dispose of classified floppies I used a program that wrote 1s
and 0s then 0s and 1s seven times, then take the floppy and run it thru a
crosscut shredder, which was then emptied into a bag and the bag was taken
to the incinerator.  Why?  Because the guy before me did it.  He told me the
NSA required it.  Did I ever take the time to find the reg/std that required
that? No. Does it make sense to take the time to wipe a floppy, that is
going to be shredded and burned?  Hum? Did I show good judgment?  You have
to wonder . . .  Is there a reg/std that required this? Could be.  I did
read many regs/stds and there were more than a few that made me wonder what
on earth the people who wrote it were thinking.  

I have never tried to wipe a GB drive 30 times (someone mentioned their
program does up to 100!).  I imagine that it takes a good deal of time.
Perhaps if the information on the disk is that valuable/sensitive, you would
be best served by finding a nearby incinerator.

I used to wonder why anyone would ever discuss how many angels could fit on
the head of a pin.  I think I have an idea now . . . ;-)