RE: 51% can be enough Was: Wiping a drive

["Murda Mcloud" <murdamcloud () bigpond com>]

In agreement with Olatunji on the maths here. The fact that you have that
kind of chance of recovering 1 bit makes people think-'hey, I could recover
a single bit with a .49 chance. Cool. Now I can get back all of the data,' 
However, as Olatunji says, as you try and recover more bits the chance
plummets pretty quickly. Recover a whole drive? I'll believe it when I see
it. Recover even a file or two? Chance of 8 bits = how small?
How many bits on a 40Gb drive? I don't know but I've already lost count.

If someone disagrees with this can they please point to a 'valid, peer
reviewed' paper or some research that holds up the theory that you can
recover a zeroed drive. (Just like Ansgar asked the last time we had this
discussion.)
Somewhere where the guys in the clean room say, "last week we were sent this
drive that had been zeroed and now we have all of the data that once upon a
time lived on it even up to three generations ago. And here it is,"

I don't think Craig is 'misleading' when he states:
> The simple answer is that it does not matter. A single wipe (done
> correctly) will make it infeasible for ANYONE (even governments) to 
> recover information.

And I'd rather put my money on his paper setting the facts out straight than
I would on someone being able to recover even 8 bits of contiguous data. I'd
even rather put money on being able to guess 8 coin flips the right way.

Mathematically unfeasible is the thing to think about here. 

Unless of course someone can tell me that a 3 letter agency has this
recovery ability already but has kept it a secret because it involves
technology found at Roswell which was developed by Fox Mulder. Then I will
be completely convinced and will wear a tinfoil hat on my head with a big P
on it.








> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On Behalf Of Olatunji Nowlin
> > Sent: Friday, October 17, 2008 1:44 AM
> > To: Alexander Klimov; security-basics () securityfocus com
> > Subject: RE: 51% can be enough Was: Wiping a drive
> >
> > I think he is stating that there is a 49% of correct recovery of EACH
> > individual bit on the drive.  My math could be rusty after all these
> > years, but that would mean the chance of getting any two bits correct is
> > 0.49*0.49 or 0.24 (24%), when you work that out to getting 8 bits correct
> > it comes out to something like 0.00332 or 0.33% chance of getting a
> > single byte correct on the drive.  When you have a 0% chance of getting
> > one single byte correctly recovered I think the chances of recovering
> > anything useful off of the drive are NIL.
> >
> > I still have to read the actual document but this is my interpretation
> > from the mail that was sent.
> >
> >
> >
> > ________________________________________
> > From: listbounce () securityfocus com [listbounce () securityfocus com] On
> > Behalf Of Alexander Klimov [alserkli () inbox ru]
> > Sent: Wednesday, October 15, 2008 3:47 PM
> > To: security-basics () securityfocus com
> > Subject: 51% can be enough Was: Wiping a drive
> >
> > On Wed, 15 Oct 2008, Craig Wright wrote:
> > > Even at 92% per bit, the recovered data is useless and random. This
> > > is detailed in the paper mentioned before. At 49% - this is a modern
> > > drive - the toss of a coin is more accurate.
> >
> > Not sure what are exactly these numbers, but if it is probability of
> > correct recovery than they are not necessary useless. Suppose you edit
> > a text document and your editor automatically makes a backup copy of
> > it every five minutes. Even if backup is done with the same filename,
> > with journaling filesystems you end up with many dozens of copies of
> > the file content on your disk.
> >
> > Now, if locations of backups are predictable (the document is long
> > enough to make correlations sufficiently large), it is possible to
> > recover the document even if you can read every bit with 51% success
> > rate (btw, the probability cannot be less than 50%, because in that
> > case you should always guess the opposite) -- simply count what bit
> > value among copies is recovered more often.
> >
> > Btw, the standard way to wipe disk on Linux is to use shred that is a
> > part of coreutils that are already installed on almost every Linux
> > system.
> >
> > --
> > Regards,
> > ASK