Years ago, I bought an old Sun Netra server from ebay. It had the original OS and apps still installed. Before installing OpenBSD, I changed the root password and looked around. It had customer data from a large, well-known online company.
I looked-up the company's contact info and emailed them. They called the next day and asked for the server's serial number (which I gave them). A few days later one of the company's executives called back and asked me to confirm the serial number (which I did), he said he was holding a certificate of destruction for that server's hard drives and would be taking some action against the contractor that had been hired to destroy them. I had already wiped the data and installed OpenBSD (or was about to).
Anyway, I'm not surprised this type of thing still occurs. To be sure data is not exposed, companies ought to wipe drives themselves and encrypt them before handing them over to contractors. Once the gear is gone, no one knows where it will end up.
I had a similar experience. Bought a 1U server on eBay. It was apparently the central controller for the flight information displays at a big airport. Lots of plain text passwords for upstream services in config files, etc.
If things are that sensitive and important no disk should leave a building whole. You have to have a ridiculous process in place that is unforgiving that says that unless physically destroyed a disk cannot leave a building (unless it’s in a sealed bag from mfg —obviously disks have to get from receiving to where they’ll be used).
Part of the problem is that modern hard drives are hard to destroy. E.g. try taking a hammer and chisel to them - you might manage to destroy the connectors and PCBs, but those are replaceable, and someone having hacked the pcb to pieces is a good sign it's worth trying to get to the contents. Getting to the platters is a pain, and destroying them enough to make recovery impossible as well.
If you don't have a facilities department that is prepared - e.g. with protective gears and an angle grinder or similar power tools, odds are someone will decide it's easier to bypass that process you describe than to get the equipment and do the job properly. It takes firm management by someone who knows and understand the risks and cares about preventing them to ensure it's hard enough to bypass these processes, and hiring someone that takes this seriously just isn't high up on peoples list (e.g. I've never been asked about what approach I'd take to physical security of server infrastructure by anyone wanting to hire me to roles where I'd be responsible for server infrastructure).
I haven't taken a hard drive apart for about a decade but last time I did take one apart getting at the platters was a job for a couple of minutes and a hex-driver.
At that point, when the platters have been exposed, you're basically done, feel free to scratch them up or smash them with a hammer.
Frankly, having read about this, a once-over pass with dd if=/dev/zero of=/dev/sdX is going to be enough to destroy all data anyway.
There is no instance I know of that the theoretical data-recovery techniques proposed to recover after that have been successful in practice, they depended on electron microscopes and 90s platter densities.
I think you’re right that zeroing is effective with today’s densities but it lacks visual evidence that gives confidence a policy was executed properly.
Also with defective drives or S.M.A.R.T. failures it’s easier to meet the requirements by physically destroying the medium.
> when the platters have been exposed, you're basically done
I've run drives with the platters exposed. I've push-started a drive (with a damaged motor) with my fingers and copied data out. You need to destroy the platters properly if you're going to prevent people from getting data out. Even partially damaging platters is insufficient.
> Frankly, having read about this, a once-over pass with dd if=/dev/zero of=/dev/sdX is going to be enough to destroy all data anyway
The problem with that is that you're trusting that people have actually done that, and that nothing went wrong and that the drive firmware was not compromised. If we could trust that people would properly delete the data, then this wouldn't a problem, but the whole point is that we can't. If you're always doing it yourself, and is a low risk enough target to be able to reasonably rule out a compromised system or firmware, then that's a sufficient solution.
That said, a lot of the time, drives are being discarded when they stop working, and people assume they're unrecoverable, and are unable to confirm or overwrite data. Drives like that are a great source of data for anyone prepared to try some repairs.
> I've run drives with the platters exposed. I've push-started a drive with my fingers and copied data out.
That surprises me. Recently? And you've done that by transplanting the platters into a new drive? (Assume we wrecked the heads completely when we removed the platters)
> Even partially damaging platters is insufficient.
Really? You've recovered data from part-broken platters that have been removed and scratched or partially shattered?
> The problem with that is that you're trusting that people have actually done that
Sure, but unless the CEO is going to inspect every drive destruction, you're trusting people have actually done the rest too. There's trust here somewhere.
> and that nothing went wrong
You can usually see from the command output if it has.
> and that the drive firmware was not compromised.
If the firmware was compromised all bets are off anyway, the data's already been exfiltrated using spin speed modulation to transmit your data out as audio, as far as you know...
> That surprises me. Recently? And you've done that by transplanting the platters into a new drive? (Assume we wrecked the heads completely when we removed the platters)
Few years since the last time. I've done that by opening a damaged drive that didn't want to spin up, and "helping" the motor get it started. The first time I tried this was a long, long time ago, and I ran that drive for ~6 months open and exposed, but that time was certainly with far lower densities. I've not tried this with wrecked heads, but given I tried this just by connecting a drive, I'm unwilling to risk assuming damaging the heads is sufficient as well - maybe it is; it certainly would make it harder. I'll happily believe that I've just gotten lucky in getting data out this way, but the point is it's clearly possible whether or not it may be rare for it to work that well, and it's an unnecessary risk.
> Really? You've recovered data from part-broken platters that have been removed and scratched or partially shattered?
Scratches, yes.
Partly shattered I haven't tried; I haven't had a reason to. If you make sure every platter is shattered, then it might well be sufficient. I've yet to see someone enforce shattering plates - most attempts at drive destruction I see tends to be people who haven't even bothered opening the drive, but have just tried destroying it from the outside and ended up damaging PCBs etc. but nothing more (reality is that most IT department in smaller shops don't even have hex tools small enough to open a modern drive); I have never had reason to try to recover data from drives people have made serious attempts at physically destroying the platters properly on.
> Sure, but unless the CEO is going to inspect every drive destruction, you're trusting people have actually done the rest too. There's trust here somewhere.
That's true, but it is easier to enforce visual inspection of a physical object than to try to forensically verify that a drive has been digitally overwritten in a way that is actually meaningful. Of course at some point you have done enough.
More importantly, by insisting on a standard of visual inspection to confirm a drive is destroyed or severely damaged, you ensure the commercial value of the drive itself reduces the incentive to remove drives that may or may not yet have been properly wiped.
> You can usually see from the command output if it has.
Assuming the person doing the destruction cared enough to pay attention.
> If the firmware was compromised all bets are off anyway, the data's already been exfiltrated using spin speed modulation to transmit your data out as audio, as far as you know...
Or it hasn't, and someone replaced it exactly because it's a simple means of bypassing a non-physical destruction process and carry the drives out right in front of security even if someone else needs to sign off on the wipe. It may seem contrived, but replacing firmware is a well enough attack by now that is seems like a pointless risk.
To be clear, I'm not questioning that you can ensure you have wiped the data digitally if you do it yourself and take enough care. But I don't think that is a good basis for a company to set policies around, because it's too hard to enforce once you take into account potential malicious interference and/or profit potential.
Heads are entirely ruined very easily, to the point where I'm not convinced you could insert the platters into a new drive of the same model without wrecking those too.
> Assuming the person doing the destruction cared enough to pay attention.
And we're back to trust. No method works if you have no trust in it being carried out. Including destruction (see the post we're replying to.
Honestly I think, as with most data safety discussions, we're not talking about realistic threat vectors nor about common avenues of attack.
And when we're talking about compromised drive firmware that is smart enough to use one method of exfiltration that neatly suits your argument but not another that doesn't, I think we're not really arguing about anything useful any more.
> Heads are entirely ruined very easily, to the point where I'm not convinced you could insert the platters into a new drive of the same model without wrecking those too.
And yet for that to matter you need to ensure they actually are wrecked. I have no doubt you are able to destroy drives well enough for it to be impossible to get data out. That is not the point.
The point was that a lot of the damage that people think is sufficient to render a drive inoperable isn't. Most drives I've seen that people think they've destroyed does not have destroyed drive heads or shattered plates; most of them have not even been opened.
Maybe you do a proper job at it. But most people don't even know how to do the prerequisite damage.
But when you suggested that just opening the drive is enough, you were wrong.
If I can get data out of a drive that has been opened without any equipment or experience with data recovery, then that's a pretty low bar. Maybe I got lucky, but other people might get lucky too. It's a pointless risk.
Maybe destroying the heads is sufficient - I haven't tried recovering from that, so I don't know, and so I won't claim to know. Unlike when you assumed opening a drive is enough, even though it isn't. But given your assumptions on that are wrong, I don't trust your assumptions about damaging the heads either.
> And we're back to trust
Trust in things that can be verified more easily by less specialized staff matters. Hence why the more thorough physical destruction the better.
> And when we're talking about compromised drive firmware that is smart enough to use one method of exfiltration that neatly suits your argument but not another that doesn't, I think we're not really arguing about anything useful any more.
The one method only requires the drive to return false results that sufficiently convincingly suggests to someone verifying the destruction that the drive is clean. It just requires a pre-prepared firmware update to be downloaded to the drive, pretending to wipe the drive, and walking out with them.
The other is complex and error prone and requires an ongoing communications channel to the outside.
That you even suggest the two are equivalent in complexity is ludicrous.
Sure, lots of things will do the trick. But the point is an IT department that has any tools sufficient to properly destroy a hard drive is rare until you get to a certain size and the company has hired at least one person that deeply cares about guaranteeing physical destruction.
I've never been in the business of wiping drives, but I had thought a strong magnet would do the trick for this? Or is the physical damage also relevant here? Curious if I've just been wrong this whole time...
Physically destroying them is more relevant to be able to evidence that the data was actually destroyed. If you do it yourself and are sure it was strong enough and that you haven't e.g. just damaged the controller, then you're probably good. Making sure the platter is actually ruined leaves less room to question whether or not it was actually properly destroyed.
You make that policy and pay a contractor to enforce it, and now you're back to square #1. Usable hard disks are just heavier and more inconvenient money.
Truly ensuring their destruction is going to cost, including but not limited to security guards, people to watch those people, searching through or destroying the trash generated in the building, looking through "parts" to see if they're disassembled hard disks etc.
If it’s a e-commerce concern as alluded to, then they are in a data center and already have limited access, materials air locks, security guards and cameras, so the main thing missing is a policy enforcing it as a firable offense.
...and the tools, space, consumables, safety equipment, cleaning equipment, training, and policies making on-site destruction possible.
I can easily angle-grind a HDD in two in my garage, where if I fuck it up no-one would be liable. But it would be quite involved to do the same thing in work, where if I fuck up they'd be liable.
Unless of course your rule is "diligently follow all security policies, but ignore and bypass workplace safety policies" which I would say is a confusing message to give your employees.
Of course, there's no excuse not to dd zeros over the entire disk and, (if it's an SSD) trigger a security-erase with hdparm.
Years ago we settled on using block device encryption for all flash storage and then destroying the headers or revoking all keys.
This satisfies the infeasibility requirement of NIST SP 800-88 without relying on flash vendors to have appropriately implemented ATA command standards like secure erase, which almost none fully do.
This destroys the filesystem, but not the physical disk, right? I mean, will the SSD be usable after that, albeit, by installing a new filesystem and reformatting?
Correct. It's not like when degaussing wipes the track information from a HDD.
This is also as opposed to relying on the self-encrypting feature on most modern flash. Whether you're dealing with high enough asset value to warrant this level of interest or are just beholden to the same standards, you should reach out to your flash vendor for clarification.
No OS handling sensitive data should ever save on unencrypted volumes, ever. Particularly nowadays - with BitLocker and FileVault it’s trivial to achieve this even on desktops and laptops. When you want to kill the data, you just destroy the/any key and you’re done.
Why rely on hardware encryption, when software encryption is basically free?
Writing random bits is more or less guaranteed to work on the bulk of the data. There are small caveats with caches, degraded cells, and other degradation management mechanisms, but I would be quite surprised if anything can be extracted; the chance of have a critical piece of data remain recoverable (at great effort) should be insignificant for most applications. I do wish manufacturers would make a 'wipe all memory and caches' command, but it's not exactly in their interest to ease resale of used hardware... (it could be pitched as increased customer value).
This whole destruction thing is very economically and environmentally nonsensical to me.
If you mean a big sledgehammer, maybe. Speaking from experience, even with a chisel making more than a dent in a modern harddrive with a hammer in ways that can't be fixed by replacing a pcb or other parts is hard work.
Not an expert here (suggestions welcome), but maybe short of having some thermite at hand, multiple passes of dd if=/dev/urandom of=/dev/disk would be more effective against well equipped parties. There are ways to extract data from zeroed platters in a clean room with the right equipment; writing random data multiple times should be harder to defeat.
I don't think anyone have ever demonstrated the ability to recover data after a few overwrites on any modern harddisk. The entire concept of "residual" magnetism that you can reliably measure sounds ridicules to an engineer.
AFAIK no-one has ever demonstrated the ability to recover data after a single overwrite. Someone offered a prize for such recovery, back in 2008 [1] which was never claimed (although the prize was only of symbolic value).
I don't want to sound like a conspiracy theorist, but if I was a 3 letter agency with infinite resources (so also no need to claim any prizes, no matter how much tempting they can be) and succeeded in recovering data that way, I would never tell anyone. Doing so would reveal what I can do, and by extension send the message "next time do a multiple pass wipe" which in the end would reveal what I cannot do.
Considering that brilliant physicists and engineers have private access to state of the art technology, I find it highly unlikely that NSA/FBI/CIA/??? have figured out how to do this, but no one else have.
On Linux this will generally be CPU bound instead of IO bound because urandom is very slow.
It's much faster to mount it as an encrypted drive with a random key and then dd over the encrypted mapping.
Eg:
cryptsetup open --type plain --key-file /dev/urandom --key-size 256 $DEV crypttmp
Last place I worked where we had to dispose of customer harddrives, we had some home made contraption that was basically a metal frame with a bottle jack that moved a pickaxe head. No data coming back after a few passes with that.
The hard drives had been used for data sharing servers at the prefectural government office and were replaced with new ones in the spring.
The prefectural government had deleted the data, but the successful bidder of the hard drives was able to restore them by using special software. The government is trying to locate the remaining nine hard drives, which were also sold online in July to August.
The data servers had been leased from Fujitsu Leasing Co., which commissioned Broadlink Co. to scrap the replaced hard drives.
Zero-filling, one-filling, and random-filling all the bits of a hard drive is sufficient to make previous data effectively unretrievable. That doesn’t sound like what happened here.
Something to keep in mind when buying datacenter infrastructure is that "next day onsite support" might want to take the failed drive back with them in exchange for the new working one. I know Dell at least has a "keep your hard drive" option for an extra fee.
"Renting" hardware that you "own" is relatively normal. E.g. buy a 1U server with everything from a <provider>, pay some subscription fee so they keep upgrading it to the latest thing.
It's a way to shift inventory management to the supplier, the alternative would be to employ people to try to sell used 1U servers & components.
Those companies will then pick up your used server, wipe it, and sell it to someone else. Depending on the contract that'll include physically intact hard drives.
off topic -- it made me happy to see a news paper from japan and in english too. i browsed around to see what they were covering and even if the news was gloomy, it was somewhat refreshing to see another perspective on what's going on in the world.
From my personal experience, reading data in japanese language is the only reliable source to understand what happened in Japan. Their news, press releases, announcements in English are usually too loose.
What follows is a completely biased opinion, but I don't really have a high opinion of The Japan Times. IMHO they have an editorial slant that tends to cater to the foreign reader's biases rather than reporting news from a Japanese perspective. Like all newspapers, it's a mixed bag and there are often well written and insightful stories. However if I were looking for a place to stoke my confirmation bias for common misconceptions about Japan, The Japan Times would be the absolute first place I would look.
The NHK world news linked in the original article is probably the best place to get Japanese news from a Japanese perspective in English, but you also have to be a bit careful. While the NHK is very similar to the UK's BBC in many ways, news stories are frequently very soft on government policy. So it's sort of the opposite of the Japan Times ;-) The quality in general is much better IMHO, though.
If you don't mind relying on Google Translate (which is getting quite good these days) the TBS news website is very good: https://news.tbs.co.jp/ There is video for most stories and a transcript written under the video. This is actually what I used for studying to learn to understand the news. The quality of the stories vary, but they make a good counterpoint to the NHK. Keep in mind that all Japanese news offices tend to have a cozy relationship with the government, so you need to keep your mind open.
If you have an interest in Japan, keeping abreast of these Japanese news is useful as I have found numerous blatant errors in foreign reporting of Japan -- sometimes to the point where they translate something a Japanese official says exactly the opposite to what they are saying. I don't think this is true only of Japanese news either. World news is full of shenanigans and it really is an eye opening experience to follow the news from the perspective of a different country/culture.
The leasing model (it's not 100% certain from the article that they have been leased) may make sense for disks, if the idea is that after some time they must be necessarily replaced.
Assuming they were leased, since the client returned them (instead of purchasing them), physicial space may have been a reason.
Wouldn't it mean that the lessor would be allowed to sell the drives? I mean if you rent them out, and they are handing the goods back would you just destroy them? Something doesn't sound right here.
Well recycling heavily used disk drives sounds more like waste disposal, I mean who can you sell that shit and get away with it? Maybe give em away if they work, idk.
Likely unrelated, but Kanagawa prefecture is home to a large US Navy base in Yokosuka city. A lot of military and US government employees likely have some of their data somewhere on those servers.
I'm hoping this isn't the case as I spent a lot of years there. Most of us had little contact with the local government -- road tax was the only thing we were liable for to the local government.
Well anyway, the US Government has managed to export all my personal data multiple times anyway, this can't be worse than that. The most they'd ever be able to get out of the Kanagawa government is the address where I lived when I was there and probably the license plate to the car I had.
I looked-up the company's contact info and emailed them. They called the next day and asked for the server's serial number (which I gave them). A few days later one of the company's executives called back and asked me to confirm the serial number (which I did), he said he was holding a certificate of destruction for that server's hard drives and would be taking some action against the contractor that had been hired to destroy them. I had already wiped the data and installed OpenBSD (or was about to).
Anyway, I'm not surprised this type of thing still occurs. To be sure data is not exposed, companies ought to wipe drives themselves and encrypt them before handing them over to contractors. Once the gear is gone, no one knows where it will end up.