[ILUG] wiping a faulty hard disk
bigbro at skynet.ie
Thu Aug 9 16:13:27 IST 2007
Timothy Murphy wrote:
> On Thu 09 Aug 2007, you wrote:
> I glanced at this, but it seemed completely irrelevant to the point at issue.
> As far as I could see, it was about e-voting.
yes - today's article is about e-voting. There are numerous articles in
the past about hard disks, such as
http://www.schneier.com/blog/archives/2005/03/sensitive_infor.html to pick
> I am asking what the probability is of someone at Seagate, say,
> scanning your hard disk (out of the tens of thousands they must have)
> finding your secret information and selling it to your rivals.
> I would say it is less than the probability of your being hit on the head
> by a meteorite.
Indeed - but the probability of someone other than someone at Seagate
getting their hands on your disk is extremely high. Particularly if that
someone actually makes an effort to get disks (and remember, they may not be
targetting your disk in particular - they'll just play the numbers game and
hope they find something on any disks they get, perhaps... You might just be
the unlucky one.)
> I may not have your deep understanding of security,
> but if I had secret information on my hard disk I would encrypt it.
> (I do have and I do.)
Good stuff - many people don't even take this basic step. Even those that
do may not realise that there's also an unencrypted 'cache' copy of the file
somewhere else on the disk. Many encryption techniques are also easily
reversible, particularly given time and sufficient motivation - and remember,
since you think your disk and data is gone, this third party can crack it at
their own pace and using whatever techniques they like without your knowledge.
> Obviously security is reasonably important,
> but much of the discussion about it (and the related topic of terrorism)
> is ludicrously exaggerated.
I really cannot agree with this. When over 50% of people stopped and
offered a bar of chocolate to give one of their work passwords to the honest
looking survey taker, it's quite clear to me that not enough emphasis is given
to the importance of security.
> You don't leave your front door open.
> But that doesn't mean you have to put bullet-proof armour on it.
Ah - you don't leave your front door open - neither do you return a disk
with sensitive information on it :-) I bet you wouldn't post a €50 note in a
clear plastic envelope through the mail either - wiping a disk prior to
allowing it to leave your possession is (to me) a basic tenet of security.
> Incidentally, I assume from your posting that this guy Schneier
> has some sort of financial interest in security.
> Such people are largely responsible for the unbalanced approach to the subject.
Bruce Schneier is a security consultant - probably one of the best known
at the moment. He distinguishes himself (IMHO) by not concentrating on
security in any particular segment, but by explaining that security must be
looked at as a whole piece.
For example, I can keep my PIN secret, but if I leave all the letters I
get from my bank, a copy of my birth cert., my passport, a few bank statements
and my bank card in a clear plastic folder on a bus, it probably doesn't
matter how secure the bank's PIN authentication service is. Some third party
can probably convince the bank they are me and get a new PIN reissued to them.
Or more likely, withdraw money from my account without even knowing or caring
what my PIN is.
Hope this helps.
More information about the ILUG