Re: Advice regarding servers and Wiping Drives after testing

["Daniel Anderson" <dtndan () gmail com>]

On 9/14/07, Daniel Anderson <dtndan () gmail com> wrote:
 So, to the guy who was looking for a good thesis topic - here it is!

 Write a good, scientifically valid, review of various destruction
methods (including different types of media) and the data recovery
that is possible (theoretically and in your testing) with varying
degrees of effort.

 Craig is right (did I just say that? :-) ) there is a lot of FUD in
this area, there are also, IMO, a lot of people spreading techniques
that are of questionable value.  I see both on at least a monthly
basis.

 As in practically any security situation you need to perform a risk
analysis (put a sound technique for this in your thesis too, probably
a high percentage of people on this list have limited experience and
education upon which to base our risk analysis of this topic) and make
sure you are not recommending installing acid baths in a situation
that warrants a wipe utility, or relying on actions which provide
limited protection (IMO like the hole drilling exercise that was
mentioned previously in this thread, or the guy who once told me he
was "ok" - since it was RAID 5 no data would be recoverable after he
shuffled the drives, etc) for protecting highly confidential data.

 In the mean time -
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
- is a good reference for those of you without scanning electron
microscopes (but really...who doesn't?) who still want to be sure you
are doing a good job of purging your data.

 Dan