[ILUG] wiping a faulty hard disk

Gareth Eason bigbro at skynet.ie
Thu Aug 9 16:13:27 IST 2007 

Timothy Murphy wrote:
 > On Thu 09 Aug 2007, you wrote:
[snip]
 > I glanced at this, but it seemed completely irrelevant to the point at issue.
 > As far as I could see, it was about e-voting.

     Hi,

     yes - today's article is about e-voting. There are numerous articles in 
the past about hard disks, such as 
http://www.schneier.com/blog/archives/2005/03/sensitive_infor.html  to pick 
but one.

 > I am asking what the probability is of someone at Seagate, say,
 > scanning your hard disk (out of the tens of thousands they must have)
 > finding your secret information and selling it to your rivals.
 > I would say it is less than the probability of your being hit on the head
 > by a meteorite.

     Indeed - but the probability of someone other than someone at Seagate 
getting their hands on your disk is extremely high. Particularly if that 
someone actually makes an effort to get disks (and remember, they may not be 
targetting your disk in particular - they'll just play the numbers game and 
hope they find something on any disks they get, perhaps... You might just be 
the unlucky one.)


 > I may not have your deep understanding of security,
 > but if I had secret information on my hard disk I would encrypt it.
 > (I do have and I do.)

     Good stuff - many people don't even take this basic step. Even those that 
do may not realise that there's also an unencrypted 'cache' copy of the file 
somewhere else on the disk. Many encryption techniques are also easily 
reversible, particularly given time and sufficient motivation - and remember, 
since you think your disk and data is gone, this third party can crack it at 
their own pace and using whatever techniques they like without your knowledge.

 >
 > Obviously security is reasonably important,
 > but much of the discussion about it (and the related topic of terrorism)
 > is ludicrously exaggerated.

     I really cannot agree with this. When over 50% of people stopped and 
offered a bar of chocolate to give one of their work passwords to the honest 
looking survey taker, it's quite clear to me that not enough emphasis is given 
to the importance of security.

 > You don't leave your front door open.
 > But that doesn't mean you have to put bullet-proof armour on it.

     Ah - you don't leave your front door open - neither do you return a disk 
with sensitive information on it :-) I bet you wouldn't post a €50 note in a 
clear plastic envelope through the mail either - wiping a disk prior to 
allowing it to leave your possession is (to me) a basic tenet of security.


 > Incidentally, I assume from your posting that this guy Schneier
 > has some sort of financial interest in security.
 > Such people are largely responsible for the unbalanced approach to the subject.

     Bruce Schneier is a security consultant - probably one of the best known 
at the moment. He distinguishes himself (IMHO) by not concentrating on 
security in any particular segment, but by explaining that security must be 
looked at as a whole piece.

     For example, I can keep my PIN secret, but if I leave all the letters I 
get from my bank, a copy of my birth cert., my passport, a few bank statements 
and my bank card in a clear plastic folder on a bus, it probably doesn't 
matter how secure the bank's PIN authentication service is. Some third party 
can probably convince the bank they are me and get a new PIN reissued to them. 
Or more likely, withdraw money from my account without even knowing or caring 
what my PIN is.

     Hope this helps.

     Best regards,
     -->Gar

More information about the ILUG mailing list