Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wiping a drive: /dev/zero or /dev/urandom better?

From: "Craig Wright" <craig.steven.wright () gmail com>
Date: Wed, 15 Oct 2008 13:36:23 +1100
Magnetic devices DO NOT have memory. They experience a hysteresis
effect. This is NOT Time based and is NOT going to supply the physical
effects associated with tool marks etc.

PRML and EPRML are based on analogue processes. Drives are not
digitally encoded, they are translated. There is no recovery - AFM,
MFM or whatever type of electron microscope you choose. The paper will
be available in Dec. The proof is detailed there and the process can
be replicated by anyone who cares to do so (I am actually surprised
that we are the first to have do it).

The 7 wipe (or more) theory is based on a flawed supposition.

The optinal bitwise recovery from a PRML drive that is no longer
available and was never used more than once is less than 92% per bit
(given foreknowledge of the write pattern). ePRML is as low as 49% per
bit using electron microscopy. Even at 92% per bit, the recovered data
is useless and random. This is detailed in the paper mentioned before.

At 49% - this is a modern drive - the toss of a coin is more accurate.
Think about that for a minute.

Regards,
Craig Wright GSE-Malware, GSE-Compliance

On Wed, Oct 15, 2008 at 1:21 PM, Craig Wright
<craig.steven.wright () gmail com> wrote:

The simple answer is that it does not matter. A single wipe (done
correctly) will make it infeasible for ANYONE (even governments) to
recover information.

If you go to the page:
http://seclab.cs.sunysb.edu/iciss08/program.html

There is a paper being presented:
"Overwriting Hard Drive Data: The Great Wiping Controversy"
Craig Wright, Dave Kleiman and Shyaam Sundhar R.S..

The paper details this issue. A few people have seen it already. It
will be available (published) in Dec in the Springer Verglag LNCS
series. We hope that this paper will finally put some of the silly
myths to rest.

Regards,
Craig Wright GSE-Malware, GSE-Compliance

On Wed, Oct 15, 2008 at 2:39 AM, Adriel Desautels <adriel () netragard com> wrote:

use dban, it works wonders.

Regards,
       Adriel T. Desautels
       Chief Technology Officer
       Netragard, LLC.
       Office : 617-934-0269
       Mobile : 617-633-3821
       http://www.linkedin.com/pub/1/118/a45

       Join the Netragard, LLC. Linked In Group:
       http://www.linkedin.com/e/gis/48683/0B98E1705142

------------------------------------------------
Netragard, LLC - "The Specialist in Anti-Hacking"

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


JW wrote:

I've got a theoretical question: when wiping a drive (I'm talking about Linux
here), which of the following is more: fill the drive with data
from /dev/zero or /dev/urandom?

I ask because I often see people suggest something like the following for
wiping disks:

cat /dev/zero > /dev/hda

(and of course do it multiple times)

I got to thinking that (if you are really paranoid) it would probably be
easier for "the bad guy" to recover original data if you use /dev/zero
because it's so uniform, the "bad guy" can just look for anything other then
zeros - if it's not zero, it's data.

Which would imply that overwriting the data with /dev/urandom or /dev/random
would be more secure.

But I don't know enough about the internals of hard drives to know if it
really matters or not.

For clarity I'll point out that I'm not talking about wiping files in the
filesystem, I'm talking about wiping whole disks - I guess you'd say "at the
block level".

What do the resident experts here think?

      JW







--
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...





-- 
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Previous By Date Next
Previous By Thread Next

Current thread: