A third (34 per cent) of discarded hard disk drives still contain confidential data, according to a new study which unearthed copies of hospital records and sensitive military information on eBayed kit. The study, sponsored by BT and Sims Lifecycle Services and run by the computer science labs at University of Glamorgan in Wales …
Very interesting, but...
...the real question is, how much porn was found?
Why do I bother?
I used to be embarassed at being so anal as to actually have a shredder that also shredded discs. Excessively focused on the security of my perosnal data and my clients' data. But if Very Large Organisations can dump private data so unsecurely that it ends up being punted on eBay, why do I go to the trouble? These institutions don't seem to suffer nor does anyone seem to lose their jobs. Accountability-free world, and I want to join it!
All we need is a new law making it an offence for anyone who acquires a used storage device to act upon any information received therefrom without appropriate authorisation. (Beside which, if you don't do a full bad block scan -- which necessarily requires writing to every sector on the surface, and there's no good reason to put back whatever used to have been there when you're done -- on a used HDD, you're an idiot.)
It's already an offence to act upon information received by listening to radio transmissions you shouldn't have been (including, as far as I read it, slowing down when you detect a speed trap).
It's hardly difficult
to cleanse data from surplus disk drives. A loving tap with a lump hammer works for me (though this may reduce its resale value on eBay). Alternatively there are plenty of firms willing to put drives through an industrial shredder for you (on site, if you're that paranoid).
Serious security operations have always done this - companies used to love having the maintenance contract for GCHQ, because every time a disk failed they had to provide a new replacement. The second-hand value of a used disk can't possibly compare to the value of data that may (inadvertently) be left exposed on it.
@ A J Stiles
That seems like an odd idea for a law to me. How can I fail to act upon something once I know it, and how can the prosecution ever prove that I wouldn't have acted in that way regardless?
It's like your speed trap example. If I'm nicked for speeding, can I use this in my defence? "Sorry m'lud, it would have been illegal for me to act upon the information I had received, so I had no choice but to continue travelling at 90MPH for the remainder of the journey."
Permanent File Delete
These hard disks could have been cleaned up very easily using Permanent File Delete.exe, it’s free and very easy to use. If you do not believe me, Google it.
Shouldn't ever happen
No HDD used by the gov should ever get to ebay, or anyone else. Is it really that hard to make sure every drive removed from anything even remotely gov related gets a drill through it once its done with. Hell, I do that with my old drives and theres nothing on them other than general email crap that the gov now has copies of and will no doubt lose at some point.
It's simple, once used, DESTROYED afterwards.
@A J Stiles
Re speed camera detectors...
IIRC that was tested in court, and failed... The camera detector doesn't allow you to listen to the transmission, or decode any content from it, it simply tells you there is one... A subtle difference, but enough.
Although I'm sure that 2 weeks after that they made it illegal to own, see or even hear about such devices on pain of death.
My favourite method...
...involves an oxy acetylene cutting torch, I must do it again for youtube.
My old boss was rather paranoid about data disposal so I took one old drive and sliced it in two for him. The bits sit on his desk and from what I hear are quite a talking point.
No. It's a defence to any crime that it was committed in order to prevent a greater crime, but it doesn't work the other way around. And speeding is a worse offence than a wireless telegraphy offence.
@ A J Stiles
Yeah, that'll deter the Russian secret service.
"All we need". I sincerely hope you're being ironic.
Boot and nuke them!
If you want to erase a disk and don't care that a national intelligence agency might be able to recover a fraction of the data, just download Darik's boot and nuke (www.dban.org). Free. Does exactly what it says to the data. After it finishes, E-bay the disk.
If the disk is faulty or if the data is REALLY sensitive, destroy the disk. A hammer is very satisfying, crushing it in a vice is safer, dissolving it in an acid bath is the ultimate secure erase.
Quote of the day
Quote from the BBC News version of this story [http://news.bbc.co.uk/1/hi/wales/8036324.stm]:
Professor Andrew Blyth said: "It's not rocket science - we used standard tools to analyse the data".
But, at least in the case of the air defence system launch codes ... it IS rocket science...
I have tried every software tool I could on a disk wiped with dban.
I recovered nothing.
Safe enough for my data. Work drives are physically destroyed after a dban wipe,
Actually, a national intelligence agency probably could recover data from a disk that had been dissolved in an acid bath -- apart from, it would reveal stuff.
Once magnetic data has been overwritten, even just once, it is unrecoverable by *any* technique -- except asking someone who knows what it used to say.
Once upon a time, *all* computer storage was magnetic; and if it was really possible to recover overwritten data, someone would certainly have exploited it as a way of increasing storage density.
Expand The Search
I have acquired storage products at Fry's that turned out to be pre-owned and full of other people's crap.
I have seen loads of private data.
i use to work for a computer recycling scheme (government scheme obviously) and we use to strip donated computers and rebuild them to sell cheaply to low income familys in the area. The donated computers were from universities, schools, hospitals, banks and small businesses and although most of the machines were fairly old none of them ever had the hard drives wiped before we collected them. Volunteers who worked with us use to take these hard drives home to use in there own computers and i will admit even i did too, infact we were told to take them if we wanted them because it was easier than paying to have them destroyed. I did nosey on loads of hard drives just out of pure curiosity. its like if one of your mates leaves there phone laying around you just have to pick it up and have a look. On the hard drives i saw photos, personal letters, database information (from a bank no less!) and student passwords, grade information i mean you name it. I think i still have the drives gathering dust in the back of my wardrobe but i never use them, this was like 8 years ago and the drives are no good in todays machines. it just goes to show though that not even a charitable scheme run by the government itself can protect users data and it is worrying. best way for a non computer savvy person to render a drive unreadable is to take an ordinary household drill and drill a hole into it shattering the data disc inside.
the military can't be that desperate for cash. All you need is one bloke with a hammer, and all your problems disappear. That's what we do at our accounting firm, with out old drives.
What to do with old disk platters
Try disembowelling them,
The platters make good coasters,
The magnets make good strong fridge magnets.
So, an NHS trust pays a private sector contractor to destroy its hard drives, rather than doing so in-house, then squeals "but we didn't know" when the private sector parasites do what private sector parasites are wont to do - whatever it takes to make a bit more money. There are so many times when the 'private sector delivers better value' argument sounds so very, very thin.
Paris; smarter than the average NHS manager
The solution is obvious. Arrest the people buying these disks, charge them with something vague like "terrorism", lock them up and throw away the key. If nobody publishes that they've found leaked data, then obviously there is no data being leaked. How dare these so-called researchers find fault with our government and corporate masters?
Silly people , but I believe that since the evil 2% of netizins now easily exert total control tens of millions of virus and trojan infected machines in a similar almost identical manner to the popular "SETI Screensaver" distributed computer processing power for signal analysis . It can thus be summed up as one old veteran once said "There are so very few secure operators in the computer industry that it has become almost a pointless exercise in futility to stop the same dumb user to infect his or her computer in the same identical manner times 1000X ! They are that dumb and stupid it beggars belief and yet these self same idiots will lock their front door when they leave for work but put them in front of any computer what ever brain cell they had in regard to security is switched off at the same time they switch the computer on" .
wipe the disk first...
Then physically destroy it.
I think the policy is called "belts & bracers" so you wont get caught with your pants down
I built a little smelter to destroy/reform my old hard drives as I'm a terrorist/activist. I briefly thought about offering this as a paid service before I considered what sort of customers I'd attract.
Not A New Problem
I remember buying cone shaped bags of deep fried and salted shrimp made from 12x14 inch sheets of computer printout paper from street vendors on 'The Hill' in Seoul. After a closer look at the paper we discovered the paper came from the trash of the personnel shop on post and contained Names, SSNs, and other identity information, etc. We thought it was pretty funny at the time, then decided to stuff a few empties in the suggestion box on base with the SSN of a high ranking individuals highlighted. It took them a while but eventually you couldn't find any of those bags on the hill a year later.
I also remember throwing out the computer printout listing of the entire membership in AUSA while on a brief stint as their janitor, pre-dumpster diving days. When I needed a replacement hard drive; I purchased a used hard drive to replace my crashed drive in my AST laptop. It turned out the drive previously belonged to a Marine Officer from Quantico, before I wiped the disk and reformatted. By the way it doesn't matter how many times you overwrite a disc some forensic lab somewhere will be able to extract each layer of data from the beginning format, unless you remove the magnetic material completely (sanding, ammonia, melting, etc.) the data there forever.
Information owners (that means you) need to take responsibility for its disposition; personally or regulatory via agency, get hot, ask them and demand the correct answer. Only those needing to know, need to know.
Love Gus – getting of my soap box now.