Re: Putting the "NSA Data Overwrite Standard" Legend to Death...

[Simple Nomad <thegnome () nmrc org>]

Jonathan,

When I was developing ncrypt (http://ncrypt.sourceforge.net/) I wanted to
include a wiping function for the original plaintext file. I did a lot of
searching and found numerous references to NSA or DoD standards, but that
particular DoD reference was also as close as I got.

I have implemented Peter Gutmann's recommendations from his 1996 paper
"Secure Deletion of Data from Magnetic and Solid-State Memory" (which is
at http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html) as a wiping
alternative. This gives you 35 overwrites in a bit pattern designed to
thwart advanced recovery efforts. How effective it is remains to be seen
(who has the equipment AND knowledge to test it?).

Near as I can tell if someone says they are doing NSA overwrites, they are
full of shit. In addition, based upon Mr. Gutmann's paper and the fact
that it is quite old, one can assume that with advanced forensics the
simple 3, 7, or 9 time overwrites that these products are claiming as
secure actually are not even close to the level of security they claim. In
fact, by following this "glossy brochure" de facto standard, data is not
secured from recovery by an advanced recovery effort at all.

Where does the level of security lie? On one end of the spectrum, your kid
sister cannot recover the file, on the other end the big spook agencies
can get it no problem. The question is who can do an advanced recovery
effort these days?

-         Simple Nomad          -    negotium     -
-      thegnome () nmrc org        -   perambulans   -
-  thegnome () razor bindview com  -   in tenebris   -

On Tue, 4 Feb 2003, Jonathan G. Lampe wrote:

> OK, I'm sure this one will start a flame war, but...I work for a vendor
> whose products overwrite files when "deleting" them as a way of protecting
> old data.  Lately several customers have been asking for "NSA" or "DoD"
> standard overwrites, usually with a value of 3, 7 or 9.  (Our response to
> the feature was to more or less let the owner of the product pick the
> number of overwrites; the obvious tradeoff is morewrites=slowerdisk.)
>
> Anyway, while researching how we wanted to document recommended values for
> the overwrite feature, I looked into the "DoD" and "NSA" standards.
>
> I was not surprised to see that a "DoD standard" DOES exist:
>    Government name: DoD 5220.22-M
>    A nice summary: http://www.zdelete.com/dod.htm (not my product)
>    Some original documents: http://www.dss.mil/isec/nispom.htm
>    Long story short: 1 overwrite = CLEAR, 3 overwrites = SANITIZED
> (non-removable rigid disk)
>
> I was surprised, however, to learn that a "NSA standard" DOES NOT exist.
>
> I did the usual Google searches and came up with nothing but various sites
> and postings claiming the standard was anything from 5 to 20
> overwrites.  Then I called the NSA (1-800-688-6115
> -  http://www.nsa.gov/isso).  The first person I chatted with passed on the
> question, but the second answered the question in no uncertain terms - NSA
> is aware of DoD 5220.22-M and DOES NOT have a separate recommendation.
>
> So...could this finally be the end of IT employees casually tossing around
> the "NSA overwrite standard" - or is there something I'm missing?
>
> Second, where did the number 7 really come from?  (It seems to be the
> leading recommendation out there right now for number of overwrites and is
> frequently attributed to the NSA.)
>
> - Jonathan Lampe, GCIA, GSNA
> - jonathan.lampe () stdnet com