Security Basics mailing list archives
RE: Wiping a drive: /dev/zero or /dev/urandom better?
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Wed, 15 Oct 2008 08:08:39 +1000
Quicker than you can say déjà vu! If the whole disk is wiped then it doesn't matter. The whole disk is zeroed(I have now declared this a verb if it wasn't already). Some people like to think that having random means that the drive looks less 'suspicious', I'm not really convinced of this though.
I got to thinking that (if you are really paranoid) it would probably be easier for "the bad guy" to recover original data if you use /dev/zero because it's so uniform, the "bad guy" can just look for anything other then zeros - if it's not zero, it's data.
If the whole drive has been zeroed and the command has DEFINITELY completed then you don't need to worry about bad guys/good guys or even Harry Potter (Datum! Recoverandum!-bzzt) getting your data back. Personally, I'd use dcfldd as it gives a little progress counter and other enhancements. And once is enough. Multiple passes are not much use. I will now let others discuss their favourite methods for destroying drives using small thermo nuclear devices or industrial machinery...
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of JW Sent: Tuesday, October 14, 2008 8:47 AM To: security-basics () securityfocus com Subject: Wiping a drive: /dev/zero or /dev/urandom better? I've got a theoretical question: when wiping a drive (I'm talking about Linux here), which of the following is more: fill the drive with data from /dev/zero or /dev/urandom? I ask because I often see people suggest something like the following for wiping disks: cat /dev/zero > /dev/hda (and of course do it multiple times) I got to thinking that (if you are really paranoid) it would probably be easier for "the bad guy" to recover original data if you use /dev/zero because it's so uniform, the "bad guy" can just look for anything other then zeros - if it's not zero, it's data. Which would imply that overwriting the data with /dev/urandom or /dev/random would be more secure. But I don't know enough about the internals of hard drives to know if it really matters or not. For clarity I'll point out that I'm not talking about wiping files in the filesystem, I'm talking about wiping whole disks - I guess you'd say "at the block level". What do the resident experts here think? JW -- ---------------------- System Administrator - Cedar Creek Software http://www.cedarcreeksoftware.com
Current thread:
- RE: 51% can be enough Was: Wiping a drive, (continued)
- RE: 51% can be enough Was: Wiping a drive Olatunji Nowlin (Oct 16)
- RE: 51% can be enough Was: Wiping a drive Murda Mcloud (Oct 16)
- RE: 51% can be enough Was: Wiping a drive Alexander Klimov (Oct 20)
- Re: Wiping a drive: /dev/zero or /dev/urandom better? Razi Shaban (Oct 16)
- Re: Wiping a drive: /dev/zero or /dev/urandom better? Ansgar Wiechers (Oct 16)
- Re: Wiping a drive: /dev/zero or /dev/urandom better? Roman Fulop (Oct 15)
- Re: Wiping a drive: /dev/zero or /dev/urandom better? Eric Kollmann (Oct 15)
- Re: Wiping a drive: /dev/zero or /dev/urandom better? Yinka Adeosun (Oct 16)
- Re: Upptime report tools? Kevin Liang (Oct 16)
- RE: Upptime report tools? Lim, James (GTS Pac Rim) (Oct 16)
- Re: Upptime report tools? CJ (Oct 16)
- Webb statistics program Mattias Hemmingtsson (Oct 16)
- Message not available
- Re: Disclaimer Jerry (Oct 16)