RE: Advice regarding servers and Wiping Drives after testing

["Craig Wright" <Craig.Wright () bdo com au>]

Snake-oil BS and FUD.

Magnetic signatures are not time-stamped. There is no unerase
capability. 

What people seem to think is that a digital write is a digital
operation. This is a fallacy. Drive writes are analogue. They have a
probabilistic output. It is unlikely that an individual write will be a
+1.00000 [1]. Rather - there is a set range. There is a normative
confidence interval that the bit will be in. 

What this means is that there is generally a 95% likelihood that the +1
will exist in the range of (0.95, 1.05) there is then a 99% likelihood
that it will exist in the range (0.90, 1.10) for instance. This leaves a
negligible probability (1 bit in every 100,000 billion or so) that the
actual potential will be less than 60% of the full +1 value. This error
is the non-recoverable error rating of the drive for a single write.

As a result, there is no difference to the drive of a 0.90 or 1.10
factor of the magnetic potential. What this means is that due to
temperature fluctuations, humidity, etc the value will vary on EACH
write. 

There is no way to determine if a 1.06 is due to a prior write or a
temperature fluctuation.

On top of this the issue of magnetic decay will come into play. This
further skews the results.

Snake oil is used to sell product. Do not just use product XXXX, buy may
patented wipe tech. All others are no good. Only XXXX will save you...

Unfortunately, urban legend and FUD seems to trump science as:
1       Too few people have any scientific training and
statistical/engineering knowledge
2       People are gullible and like a good story.

Try reading papers on sites such as the IEEE. Scientific papers (real
peer reviewed ones from respectable journals) have far more value than a
Wiki or a google search.

Regards,
Craig

[1] Using a factor of the drives magnetic density that relates to a +1
bit pattern for simplicity.



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of William Holmberg
Sent: Thursday, 13 September 2007 5:30 AM
To: gjgowey () tmo blackberry net; Ansgar -59cobalt- Wiechers;
listbounce () securityfocus com; security-basics () securityfocus com
Subject: RE: Advice regarding servers and Wiping Drives after testing

Hi Robert,

It is interesting that you point this out. One of the people in our
local chapter told me there was a company or group of electronics people
working on a "Drive level" SATA "Adapter" (for lack of a better word I
guess) that would read the "top level" magnetic layer generated by the
head on a particular sector, and exactly measure it's intensity, then
generate an "inverse field" (not my words) which would effectively
nullify that overwrite, leaving the last write before that one plainly
readable (with some variables). He said it was an exciting prospect
because since the head that last wrote the 1 or 0 was the one that
"erased" it, it worked to a point of surprising the design team with
it's ability to accurately reconstruct data overwritten. 

How much of that was hearsay, fabrication, or wishful thinking, I don't
know. He compared it to military sound suppression devices for
helicopters, which (if you didn't know) can sample the exact frequency
generated by the rotors and moving parts and generate an inverse
frequency, out of phase with the original, through powerful Horn Drivers
mounted under the rotors. The effect in sound engineering is a precisely
controlled "OOP" (Out OF Phase) situation. You can experience it to a
lesser degree very simply with your home stereo speaker. Simply exchange
one of the speakers Red and Black connectors. The phase cancellation
that occurs makes it very difficult to hear certain frequencies
(depending upon that particular speakers dynamic range and other boring
items) and in some cases can almost entirely cancel out each other
across many frequencies.

Note: If you do this, do not turn it up too loud, because the other
effect is that the speakers will be pulling "IN" when they should be
pushing "Out", and the Coils can get damaged by bottoming out and
inverse clipping. Horns should be unaffected however.

Thanks for all the stimulating conversation on this, as well as the
fascinating reading materials.

-Bill

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of gjgowey () tmo blackberry net
Sent: Wednesday, September 12, 2007 12:52 PM
To: Ansgar -59cobalt- Wiechers; listbounce () securityfocus com;
security-basics () securityfocus com
Subject: Re: Advice regarding servers and Wiping Drives after testing

What you're forgetting is that these pieces of software aren't you
normal "access the hdd through regular os calls". These pieces of
software are sending low level commands to the drive its self an
interpreting what's sent back instead of relying on a middle layer.
They can literally have the head scan a particular sector as many times
as is needed until it gets a signal back that resembles something
useable.  Writing all 0's will never prevent against software recovery
because the all 0's approach is like recording over a used VCR tape
once.

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>

Date: Wed, 12 Sep 2007 12:48:42 
To:security-basics () securityfocus com
Subject: Re: Advice regarding servers and Wiping Drives after testing


On 2007-09-11 William Holmberg wrote:
> On Tuesday, September 04, 2007 1:03 PM Ansgar -59cobalt- Wiechers
wrote:
> > On 2007-09-01 gjgowey () tmo blackberry net wrote:
> > > A since pass with all zero's really won't protect your data from
> > > being recovered by more advanced data recovery software let alone
> > > alone hardware.
> >
> > I'd like to see a single case where someone was able to recover data
> > from an overwritten harddisk, even after a single pass with zeroes.
>
> No doubt you are an intelligent and well educated person in these
> fields, and probably have many areas of expertise more proficient than
> mine. I do have to state however, and nearly any Infragard member can
> tell you, the FBI uses tools that accomplish this on a regular basis.
> I have no doubt other agencies do as well. We have had demonstrations
> of it remotely in a class I help instruct, SAFE computing for Law
> Enforcement and Non-Profits (SAFE is Security And Forensic Education)
> at Metro State University of Minnesota, MCTC campus.

Demonstrations of recovering data from fully overwritten media, without
opening the case? Sorry, but I seriously doubt that. Feel free to prove
me wrong, but without evidence I find that really hard to believe. Keep
in mind we're not talking about wiping single files, but overwriting the
entire media.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq