back to article Flash drives dangerously hard to purge of sensitive data

In research that has important findings for banks, businesses and security buffs everywhere, scientists have found that computer files stored on solid state drives are sometimes impossible to delete using traditional disk-erasure techniques. Even when the next-generation storage devices show that files have been deleted, as …

COMMENTS

This topic is closed for new posts.
  1. J. Cook Silver badge
    Pint

    One way around this problem...

    ... is to physically destroy the devices, which is what the *really* paranoid do. Granted, this wouldn't work out too well for companies that send their old kit to a company that refurbishes and resells the stuff ('asset recovery' is the usual name given to this process), as they tend to like having working storage devices to sell along with the equipment in question.

    Interesting article otherwise- This is actually ammunition for not having corporates buy SSDs at this time.

    1. Anonymous Coward
      Anonymous Coward

      HMG's Secure Erasure

      Involves grinding the drives into dust in a large shredding machine.

      The moral of the story is if you must put it on a flash drive encrypt it. Mind you the brain power involved to workout that methods used for erasing magnetic disks don't work on solid state is mind boggling, but a timely reminder none the less.

  2. Chris Miller
    Happy

    Secure data disposal?

    May I suggest a 4lb lump hammer - also suitable for hard drives.

    Safety goggles optional (but highly recommended).

    1. Peter2 Silver badge

      You can suggest it mate

      but have you ever tried it? All you get is a bloody loud ringing sound unless you have glass platters on the HDD.

      1. Chris Miller

        @Peter2

        Yes, I've used it. It does require a modicum of intelligence (support the drive at the two shorter ends) and a little physical strength, but the end result is a V-shaped device from which it would be 'challenging' to recover any usable data. I've not actually tried it with SSDs, but I can't see why it wouldn't be equally effective (the casing is less robust, but you'd want to make sure you'd mangled each chip inside). For those lacking the physical strength (or intelligence), there are mechanical devices such as Bustadrive (Google it).

        But ultimately the answer is physical destruction, for which a large number of solutions are available, up to and including shredding followed by liquidation. There's no real market for recycled SSDs (at least, I would never buy them), because the storage degrades with use.

      2. Adrian Challinor
        IT Angle

        @Pete

        Yes - regularly when I upgrade drives. But I also use a large screw driver. Punch a hole through the electronics and the drive platter and that vigorously wind the screwdriver around what now remains of the platters.

        It's call hardware - and when I have finished it is useful only as scrap.

        Goggles and breathing mask highly advised.

    2. copsewood
      Stop

      not safe enough for all purposes

      Ros Anderson refers to research in his book 'Security Engineering' where explosives were not considered up to the job of destroying on-chip data where fragments of over a certain small size remained, if the data was particularly sensitive, e.g. nuclear weapons launch codes and the attacker well enough funded.

      1. Brian Morrison
        Thumb Up

        There's a simple, cheap method....

        ....but it would require a large airy environment and serious care while the process is used.

        Thermite, it's cheap and very effective at rendering the whole device unusable, it's what was used to render magnetic core memory useless in the event of capture on military equipment.

    3. Anonymous Coward
      Happy

      Easy enough

      Stick it in a vice and drill holes through the platters. Then stuff in an incinerator for a nice roasting along with you garden waste, just to burn off the top layer treatment of the platters, let it cool and drop it off at the scrap metal bin in your local council waste depot.

      I wait until I have half a dozen to do once a year, from friends and family.

      1. This post has been deleted by its author

      2. Anonymous Coward
        FAIL

        Err...

        ...what platters?

  3. Herbert Meyer
    Grenade

    Hammer and Pliers

    I read something last week about some hedge fund crooks erasing flash drives with hammers and pliers. Perhaps I can find my old UV eprom eraser, once I get the opaque cases off. Moving up the spectrum, an unhealthy dose of X or Gamma will work without removing the cases.

  4. John Sanders
    Grenade

    Secure delete... let me think...

    Fire

    Sledgehammer

    Car accident

    Bus accident

    River Thames (+ Concrete?)

    So little time...

    1. sisk

      Nope

      >Fire

      Anyone who does serious data recovery will tell you fire doesn't do it with magnetic media. I suspect flash based media doesn't fare as well, but it can probably be at least partially recovered from all but the hottest fires.

      >Sledgehammer

      Don't make me laugh. At least some of the chips will be more or less intact after that. All the data on an intact chip would be recoverable. Some of the data on broken chips would even be recoverable with the right equipment.

      >Car accident

      >Bus accident

      See sledgehammer

      >River Thames (+ Concrete?)

      Niether water (while the drive is unpowered) nor concrete will harm the data on a flash device.

      Personally I'd have to go with what someone else said. Thermite. There won't be anything left of the chips after that.

      1. John Sanders
        Linux

        What?

        "Anyone who does serious data recovery will tell you fire doesn't do it with magnetic media. I suspect flash based media doesn't fare as well, but it can probably be at least partially recovered from all but the hottest fires."

        Do not make me laugh man

        "Don't make me laugh. At least some of the chips will be more or less intact after that. All the data on an intact chip would be recoverable. Some of the data on broken chips would even be recoverable with the right equipment."

        I want what you smoke.

        Regarding the river solution, I trully doubt that you will ever figure out where I dumped the thing, nor if you find a concrete slump that there's anything inside.

        But here it is for you, burned, smashed, rolled under a car, a bus, and finally dropped inside a concrete lump into river thames from London Bridge.

        Stop watching so many james bond movies mate, they'll do you no good.

  5. John F***ing Stepp

    Actually this is about the only way to secure a flash drive.

    Although consigning it to a wood stove might be more effective than a hammer.

    The little bits wear out, you see.

    So the next write modifying the same file might just make a duplicate.

    And the 200dreth write after that might get around to reusing those first bits.

    Maybe.

    After a while a flash drive is a mess, a very well considered mess, but a mess.

    Run the old DOS program core on one; ouch.

    From a company standpoint, only idiots would consider selling used flash drives.

    New word, ubiquitous.

    (a prevalence of idiots.)

  6. Gideon 1
    Grenade

    Duh

    Fill it with random data, then it will have to overwrite what you have deleted.

    1. C 2
      Boffin

      Actually it won't

      These devices use something called "wear leveling" and have some capacity above the rated or visible space.

      This capacity is swapped out using some algorithm stored in its own controller, which is why most of methods where unable to erase everything.

      1. Owen Carter

        Wear levelling != extra storage..

        @C2

        Sorry; but wear levelling just means that the writes to the device are spread very evenly across it (due to the limited number of write-cycles available to each storage cell). It does not mean that there is spare capacity which is only brought into play when needed. Trust me; drive manufacturers like big numbers; if there was really 80Gb of capacity on a '40Gb' SSD they would find some weasely way of trying to sell it as an 80Gb drive...

        A '$ cat /dev/urandom > /dev/ssd' will go a long way towards preventing your data being accessed.

        That said; Mechanically mangling will generally be faster and easier.

        1. Ammaross Danan
          Boffin

          Fail @Owen Carter

          wear leveling "hidden space" is in fact extra storage. SSDs are a particular creature. Data tends to be a copy-on-write setup, so when you overwrite your file, the new copy (parts of it at least) end up elsewhere on the drive and the old data gets flagged as available (whether it gets used or not is based on the write-count). That "elsewhere on the drive" can be within the CONCEPTUAL capacity of the drive, or land in that over-provisioned wear-leveling space. The controller doesn't care, it just doesn't want you to fill up the full 120GB of your "100GB" drive, because it is greedy and wants to maintain peak performance with its wear-leveling.

          Storage locations on an SSD are a moving target, and that is the point MANY people (including these researchers) seem to forget. They're talking about traditional HDD "shred" techniques and then getting shocked that not even a "defrag" overwrites the data. They tried sequential overwrite methods, which with the above explanation of over-provisioning and a bit of brain power, one would realize would be ineffective.

          A bit of intelligence shines through when they say the best way to "sanitize data on SSDs was to use devices that encrypted their contents." Bingo. Many SSD /drives/ do this. Granted they have a point about purging the crypto keys, but that's easy enough by grinding the chippery, or the thermite option.

          Lastly: "Furthermore, there is no way to verify that erasure has occurred (e.g., by dismantling the drive)." is utter bullocks, as I can tell straight away that a drive that's had its flash chips melted by thermite (or perhaps dissolved in an acid bath) is cleanly "erased" (in proper Ahhh-nold fashion via "Eraser").

          Oh, and a P.S. for Mr. write-spam monkey, when an SSD "fails" due to write exhaustion, the last-written data remains in the cell, perfectly accessible to be read. If you had an entire block or even chip fail in your SSD, unbeknownest to you, the data may still be accessible and no amount of continual rewriting will destroy it. Fail 4 u :)

          1. Owen Carter

            Worst flame'ing ever...

            Which part of: "will go a long way towards." did you read as 'fully achieve'?

            I was replying to a comment about wear levelling.. not a comment about fully destroying the data. I covered that in the 'Mechanically mangling' part :-)

    2. Anonymous Coward
      Anonymous Coward

      re: Fill it with random data

      That will wipe most of it, but you can't guarantee that it will get it all - when a block produces an error it is marked as bad, and any attempt to write the whole device will skip any bad blocks, but each block (128kB?) could be complete and readable with only a single bit out of place.

    3. Gordon 10 Silver badge

      Read the article muppets

      Did any of you read the article? Data was recoverable in some cases after 20 full disk rewrites. Thus your random comment were about as useful and relevant as random string pasted to this comments box.

      Commentards indeed. Kermits.

  7. Anonymous Coward
    Anonymous Coward

    I echo the comments about smashing up drives

    Works for tapes, works for disks and it will work for computer chips too.

    As the value of the data on the drives becomes exponentially greater than the value of the actual drives this will continue to make more and more sense.

    Wasteful maybe, but if you're considering erasing a drive then by that point it will have served the purpose for which you bought it anyway.

    The real issue here is not being able to securely erase individual files but what's new? In a corporate environment, by the time you realise you've saved something a little bit dodgy and gone to delete it, it's already sitting in the CEOs inbox.

    1. John Sanders
      Pint

      mate, next one on the pub...

      is on me to laugh at the expense of the recovery boys.

  8. Robot

    Use TrueCrypt to encrypt the SSD

    I installed an SSD in my Acer Aspire One notebook, and partitioned the SSD into drives C and D, with a clear demarcation between my Windows 7 system in drive C and my data in drive D. I then encrypted drive D with TrueCrypt. I don't think this will provide 100% security (especially if SSD data is shuffled across two different partitions by TRIM), but I think it will help some. Any insight?

    1. Anonymous Coward
      Gates Halo

      Bitlocker is better for this kind of thing

      Bitlocker is in the Windows 7 Kernel and not some file system driver. Also it will only leave 100 MB of unencrypted space(For the boot files) and everything else will be encrypted before it hits the disk, so no worries about someone recovering your data. Also Bitlocker has been optimized like crazy so there isn't a noticeable performance drop in file system activity.

      1. Anonymous Coward
        Anonymous Coward

        Kernel level drivers

        TrueCrypt also uses kernel level drivers and can be used for encryption of boot drivers. And it's cross-platform - Mac and Linux too. And you don't need to pay a premium for some fancy version of Windows - it'll work with Starter edition on up.

    2. Anonymous Coward
      Anonymous Coward

      RTFM

      I suggest you read the truecrypt documentation http://www.truecrypt.org/docs/?s=data-leaks

      Basically your problem is that most of your "sensitive" files will end up being written unencrypted as software makes temporary files on the unencrypted drive while you're working on the files, which means then you have the problem of not being able to delete that data as mentioned in the article.

    3. Robot
      Happy

      Thanks for the info

      To the three persons (or one person?) who answered me: thanks for the helpful information.

    4. adamsh
      Stop

      Already proven wrong.

      see http://www.marko-rogge.de/truecrypthinweis.pdf.

      Best, HA

    5. Ammaross Danan
      Boffin

      Fail @OP (Robot)

      "and partitioned the SSD into drives C and D, with a clear demarcation between my Windows 7 system in drive C and my data in drive D"

      And how did you do that? Pad the "space between" with "sectors"? Data is not stored sequentially on an SSD. That's hard-disk-drive territory. Common SSDs likely have 16 flash chips, with 5-10 "channels" to read/write to those chips. The data is more likely to be physically stored RAID0(ish) style as opposed to sequentially on one chip. That's not counting the fragmentation that will occur as the drive is used, due to the copy-on-write methods of wear-leveling. In the end, there is no "clear demarcation" except logically (in your head and OS). SSDs don't even have sectors. Those 512byte blocks are simply emulated, just like any other sector/track concept. That is why page and block alignment is so important to establish optimal performance on your SSD.

      Best thing to do? Use TrueCrypt whole-disk encryption from the start. Your data would not have ever been written to the drive in an unencrypted manner at any time, and thus you won't have to worry about it lingering around. The only thing likely to be vulnerable would be your network configuration and a bit of browser history that it takes for you to get on the network and download TrueCrypt initially after your OS install.

      1. . 3
        Thumb Up

        @Ammaross Danan

        NAND flash memory is very much segmented into pages, usually 512 bytes. This is the granularity of an erase operation. Your point about them being emulated is wrong.

        I think the detail in your comment of the physical layout is a bit of a red herring as magnetic drives also have the same disconnect between logical and physical indexing: They usually employ multiple heads and have a strategy of dynamically reordering the data with the aim of reducing lateral head movements to minimise power consumption, seek time and noise.

        Absolutely right that encrypting any temporary files (and the swap file/partition too) is the only way to be sure.

  9. Anonymous Coward
    Flame

    Wear level(l)ing? De-gaussing????????

    You got through that whole article without referring to wear levelling (and so does the paper), which is presumably a major part of the problem. If the OS repeatedly writes to what the OS thinks is logical block 42, it won't always end up in the same physical block of flash memory, because any given block of flash has a limited lifetime - a limited number of write cycles. Because of that, the SSD includes a flash controller that implements a "wear leveling" layer that attempts to ensure that any given physical block of flash memory does not get more than its fair share of writes, by mapping between logical blocks and physical blocks. If that made no sense, fair enough, look it up elsewhere, where you will hopefully also find words that explain how SSDs manage to present disk-like block sizes that aren't the same as the inherent SSD block size, and how SSDs have more internal blocks than they offer the host, for bad block replacement just like on a real hard drive.

    So when this magic file erase software thinks it is erasing a specific file, it overwrites what it thinks are the required logical blocks, which courtesy of wear leveling etc are not the physical blocks where the original data was actually written.

    Given that, if you read the whole "disk" from start to finish it is entirely possible courtesy of wear levelling etc that you will find pieces of the data that you wrote earlier are still accessible. They won't be where you expect them, but unless you correctly overwrite the whole disk from start to end (possibly including replacement blocks which aren't directly user-accessible) there is a risk that data may leak.

    Can I have my ticket to California now please? I only need a couple of minutes and then I can go to the beach, if that's OK.

    [The idea that there's any practical value in analog-hacking these things, as with supercooled DRAM... just don't, OK]

    "subjecting SSD media to degaussing, in which a drive's low-level formatting is destroyed."

    You cannot be serious? Shirley? What kind of iriot expects degaussing to have any effect on a flash-based storage device?

    Secure burning of an SSD probably erases it.

    1. Disco-Legend-Zeke
      Black Helicopters

      What About:

      ...microwaves? ..electrical fields?

      Electric arc, Laser Beam, Grinding wheel.

      If it's worth erasing, the cost of blank replacement media is trivial compared to the cost of ((([[them]])) finding it.

    2. dssf

      Degaussing won't, but, remove the "u", and then the word works...

      De-gassing... toss it in a microwave and the data will go from magnetic or optical to pure smoke and sparks of light . If you're brave, toss it in a container of mercury or something liquid that will build up a LOT of heat, but not explode too easily. Melt down the memory chip and fuse it. It might take the Tal Shiar, or better yet, the Xindi, to undo that bit of damage...

      OTOH, someone might make a business model of operating an ISO-19485 (year) temporally-rated slurry-maker incinipit for sensitive data destruction...

    3. adamsh

      Already discovered a year ago - wiping a flash device need not work

      You are correct, but it has been discovered a year ago.

      http://forums.theregister.co.uk/post/992361

  10. Z80

    @Gideon

    At first glance the idea of filling a drive with crap to overwrite the stuff you didn't want to be recoverable would appear to do the trick but you'd need a tool that could overwrite the spare capacity which is not reported to the OS and used to help with wear-levelling and bad block replacement.

    1. Gabor Laszlo
      Boffin

      such as

      dd if=/dev/zero of=/dev/ssd

      1. Dr. Mouse Silver badge

        That's the point

        That will only fill the REPORTED disk size with zeros. SSDs are over provisioned, and when new data is written, it often just remaps the block and puts the new data in a new location. Hence, looking at the chips themselves, you could recover a potentially large amount of data.

      2. copsewood
        FAIL

        dd if=/dev/zero of=/dev/ssd probably useless on compression SSD

        Some high end SSDs use disk compression internally, so a stream of zeros of arbitrary size (e.g. equal to the published nominal device capacity) could be compressed to a very small file as stored on the actual hardware. The rest of the files on the device would be unaffected.

        dd if=/dev/urandom of=/dev/ssd would be better as the output doesn't compress, but as other commenters have pointed out, even this doesn't overwrite physical blocks previously marked by the wear levelling software as unusable.

        The problem is partly that all of our assumptions based upon what works on rotating media are invalid, given the way reverse engineering is revealing how flash memory works internally.

  11. Anonymous Coward
    Flame

    Burn baby burn!

    I used to work for a company which handled a lot of credit card transactions and personal data. Needless to say this meant the company disposal policy on hard drives was pretty tight.

    Given the time a secure wipe can take for just one drive I took to collecting a batch in the server room and then taking them home in one go... A few minutes with an oxyacetylene torch soon erased them. Far quicker, and I defy anyone to recover data from re-solidified aluminium or glass platters. Even better, it takes just as long to "delete" a 1TB drive as it used to for a 20GB.

    The boss thought this was quite an amusing, and secure way of maintaining data security, so I took my time with one and sliced it straight down the middle, long ways, and brought half back into the office. The boss put it in a case and proudly showed it to potential customers as an example about how seriously we take data disposal.

    I feel sorry for whoever took over after me... I don't remember the job description including "the successful applicant will have an oxy torch".

    1. Notas Badoff
      Alert

      We're so serious about security...

      "... and then taking them home ..."

      This is the part you didn't tell the customers about, right?

      1. sT0rNG b4R3 duRiD
        FAIL

        WTB Data Protection.

        Hmm... Please tell us who you are with so we can avoid them?

        Seriously I suspect a lot of companies out there are just as lax...

    2. Dwayne

      Takes time to get home...

      ...once the drive leaves the data center, the data is open to be compromised. Who's to say you actually did what you said you did?

    3. Anonymous Coward
      Anonymous Coward

      disposal policy on hard drives was pretty tight ...

      ... but they let you take them home. Yeah right.

      1. Danny 14
        FAIL

        of course this happened

        I have worked in a center for secure data disposal. Even handling drives outside of the non secure area was liable for dismissal. We went through turnstiles and metal detecting security before we could leave and enter the secure building. Loading bay had a separate inwards and outwards path that didnt intersect and again personell went through metal detector whilst the outwards prepacked containers were on the conveyor. No phones, electronic devices (including watches, games, pagers etc) inside the main building, no keys, no metal, no flash drives. All of the above were subject to disciplinary proceedings. Of course you could go back out to your locker at break times if you wanted to but through the security and back again.

        There were various levels that customers could pay for varying from data blanking via overwrite to degauss through to crunch to tiny bits (then melt).

        1. Anonymous Coward
          Anonymous Coward

          even better: BELT SANDER

          the bad part, the disks never actually left the data center. Yes, the operator sat a table in the middle of the floor with a belt-sander and removed the coating from each platter.

    4. Anonymous Coward
      Flame

      Take them home??

      They let you take the drives home????

      Oxyacetylene approach is good, but exposing yourself, the company and your clients to the risk of you being robbed, kidnapped and optionally tortured to get this data to my mind does not indicate that your company took data disposal seriously enough.

      Please remind them to keep the oxytorch in-house!

  12. John Savard Silver badge

    Degaussing?

    The fact that an SSD device does not lose data when degaussed is about as much of a security failure of the device as the fact that hard drives don't lose data when prayed over. They're not magnetic media.

    Since they're random-access memories, defragmenting yields no access-time benefits, so I wouldn't be surprised if it just shuffles pointers around or is ignored in some other way. It is true that erasing a large SSD by backing up all the useful data on it, and then filling it up with one huge file of random data is not practical - and it may be that even this will leave some data left in odd nooks and crannies now used for the directory structure, which is a valid security issue (in the sense of valid as a complaint against the manufacturers).

    Even invalid complaints, though, are real security issues if user's aren't aware of the inherent limitations of solid state disks. But studies that appear to show a lack of appreciation of the distinction lose credibility. Still, it would be desirable for SSDs to automatically zero out all unused space upon request. (Doing it automatically as a general practice would prevent data recovery after crashes and the like.)

    Of course, this means an extension to the operating system so that it knows how to issue such a request, or utilities that come with the particular device.

  13. Flocke Kroes Silver badge

    TRIM command a better choice than overwriting

    If you overwrite a piece of data on an SSD, the wear levelling algorithm will write the data to a block that is not full, and record that the original data is cruft to be forgoten when the block it is stored on gets moved to create free space by the garbage collector. Overwriting multiple times and overwriting the entire disk adds lots of extra wear and will eventually activate the garbage collector. The garbage collector creates a lot of internal activity within the SSD, so there will be less performance available to the host computer.

    One trim command will mark the data as cruft, and leaving the drive powered up and idle will activate the garbage collector. This method will make more space available to the wear levelling algorithm so it will be able to make better choices to prolong the life of the SSD.

    If you are concerned that the police will bang on your door, and you will have to wipe an entire SSD full of incriminating data in a hurry, check the manufacturer's web site for a tool that will re-flash the firmware. The chances are the instructions will say something like: 'Back up and test that you can restore your data before you use this tool because it will erase every block in the SSD.'

  14. Robert A. Rosenberg
    Grenade

    How About Erase Free Space?

    One thing that I do not note being mentioned in the article is doing an Erase Free Space (ie: Overwriting the blocks that are not shown in the Directory as containing files). Will that target the physical blocks that contain the old data? How about writing one large file (until there is no more Free Space) with the random data that normally gets written for a secure erase. Since I am ONLY writing to Free Space when I write the large file I should hit a new physical block each time (unlike the erase free space which MIGHT map the same physical block more than once as the backing for the logical blocks while not affecting other physical blocks).

    1. Tom 13

      OK, I get that you are too lazy to read the article,

      but aren't you at least reading the posts here? The issue is the redundancy the drive makers build into the SSD drives to ensure your 1T drive still has 1T of memory cells 10 years from now. With at least 4 times the data space as the "native" capacity and a controller in the SSD controlling which memory pieces are overwritten, there's no way for a software program to guarantee the data has been overwritten.

  15. Anonymous Coward
    FAIL

    Nothing new here, move along.

    I hate it when academics "discover" something commonly known in the industry. The issue is that the wear leveling algorithms that make it so that NAND cells which can only be written to maybe 100,000 times before they die, don''t render a flash drive useless in a day or two as the FAT can easily be written to that number fo times in days. And those wear leveling algorithms mean that while logically it appears you are overwriting a file, you physically are not.

    As EVERYONE in the flash business has known from the get-go, the only way to "wipe" a flash drive is to fill the entire drive up with randon data until it is entirely full. That is the only way to insure that all blocks were physically overwritten.

    1. GrumpyJoe
      Thumb Down

      RTFA

      It is already covered in the article, overwriting the data STILL leaves data to be retrieved.

      Am I the *only* one reading AND comprehending the articles here?

      1. adamsh
        Thumb Up

        No --- you are not alone! We proved it a year ago!

        Have a look at http://forums.theregister.co.uk/post/992361.

        Regards, HA

  16. Doug Glass
    Go

    Three Solutions

    Hammer, hammer, hammer.

    1. sT0rNG b4R3 duRiD

      Yet to try it, but...

      microwave.

      Probably a little more impressive (and possibly unhealthy for the oven).

      1. Jimbo 6

        Why not...

        ...get it ejected from the International Space Station's airlock. Should burn up nicely in the atmosphere.

        What d'ya mean, 'expensive' ?

  17. Anonymous Coward
    Anonymous Coward

    IronKey

    I use IronKey devices (ironkey.com), the best secure implementation I have ever encountered, for data which has any value.

  18. Yet Another Anonymous coward Silver badge

    @IronKey

    How do you know? Did they give you the source code? Can you compile it yourself and download it into the device?

    There was a story on here about a big name tape company that promised 256bit AES encryption on their tape drives - turns out they simply AES encrypt the password and then XORed the 256bit result with the data!

  19. C 2
    Go

    Plasma torches work well too..

    With one of these baby's you can dice a hard drive if you fancy. I know someone with a CnC plasma cutter, he opens every window, door and the big bay door when he runs it because vaporized metal is decidedly unhealthy.

    Here's a video of one :)

    http://www.youtube.com/watch?v=aFT__gESOfc

  20. John Tserkezis

    Call me old fashioned...

    ...but ancient rotating magnetic disk media is looking real good right about now.

  21. Anonymous Coward
    Grenade

    Burn it, trash it etc.

    I agree that the only solution (until someone comes up with devices that include a guaranteed self-erasure feature) is destruction. But doesn't the Weeeee! directive have something to say about how you do it? Could drop them off at the local waste transfer station, I suppose, but that doesn't seem quite right. How does the average person get access to the necessary secure and environmentally-friendly destruction faciity?

  22. Martin Huizing
    Grenade

    ccleaner has this option.

    Wipe: Entire drive.

    Simple overwrite (1 pass), DOD 5220.22-M (3 passes), NSA (7 passes) and Gutmann (35 passes)

    Anyone tried this yet? If that doesn't work, strap your stick to a hand-grenade.

    1. Anonymous Coward
      FAIL

      RTFA

      and the comments. Yes, they tried it. No, it doesn't always work. Sometimes it does, but will take a week or so to finish.

  23. copsewood
    Flame

    Funny it needed research to uncover this dirty little secret

    Interestingly I also figured this problem out myself yesterday after reading an article describing results from the independent reverse engineering of some of these devices: http://lwn.net/Articles/428584/ (warning: subscription needed until 28 Feb 2011).

    Here we have hardware being developed under closed source/trade secrecy which violates all of our previous assumptions about how storage works in relation to data cleanliness, very likely leading to loss of privacy for individuals (a human right) and loss of data which to be protected by organisations under data protection laws.

    Security by obscurity is no security at all once the cat is out of the bag. Didn't the industry creating these devices understand that customers needed to know about this dangerous inbuilt device behaviour before these devices were marketed and sold ?

    Self regulation of manufacturer behaviour didn't seem to work here, and this massive failure creates a strong argument for forcing publication of design details (circuit diagrams and source code) prior to supply, if the supplier expects to benefit from normal commercial assumptions providing legal protection (e.g. in relation to related copyrights, patents etc.).

    Another conclusion is that the only way to keep much of this activity accountable to the wider consumer and public interest is to scrap laws which restrict reverse engineering.

  24. Anonymous Coward
    Anonymous Coward

    True crypt

    I make it a standard practise to encrypt anything sensitive before putting it on a flash drive. The passwords are more than 32 alphanumeric characters long.

    Comments WRT iron key and source code, yes, absolutely.

  25. Anonymous Coward
    Jobs Horns

    virus

    just load it with thousands of viruses and chuck it in the bin, who ever finds it will have plenty of fun

  26. Ged T
    Flame

    Flash Flash drives for real...

    ...by momentarily powering them with 240VAC instead of the usual whimp-like 12v & 5v DC.

    Using a 'SSD Destructo-Harness' (TM*) - A SATA power plug, in an open-ended enclosure, with a mains lead wired to 'power' the inserted SSD. A push switch will be required, operated after drive insertion, to 'connect' the drive with some raw, alternating mains voltage power.

    Quick and secure.

    I love the smell of fried chips in the morning...

    *TM - Ged T, 2011 Pat Pending...

    1. Anonymous Coward
      Thumb Up

      Blast furnace/thermite.

      a blast furnace or thermite.

      http://www.theregister.co.uk/Design/graphics/icons/comment/thumb_up_32.png

      http://www.theregister.co.uk/Design/graphics/icons/comment/boffin_32.png

      http://www.theregister.co.uk/Design/graphics/icons/comment/black_helicopters_32.png

      http://www.theregister.co.uk/Design/graphics/icons/comment/alert_32.png

      http://www.theregister.co.uk/Design/graphics/icons/comment/paris_hilton_32.png

      Paris because some men end up with a blast furn..

    2. Anonymous Coward
      Anonymous Coward

      Doesn't work

      More likely just to burn off the power regulators or a few input capacitors..

      Now a Tesla coil on the other hand...

      1. Kanhef
        Alert

        Something like

        this: http://www.electricstuff.co.uk/esd.html

        or maybe: http://www.electricstuff.co.uk/surge.html

  27. Dr. Mouse Silver badge

    Interesting

    I had not considered this from a security point of view before.

    But do drives not have an "Erase everything" now? I have heard them mentioned alot for performance reasons (i.e. as performance degrades due, you can backup, fully erase, and restore, setting the drive back to "factory" performance levels) and I was fairly sure that this performed an erase on all flash chips in the device.

    One thing I do think should be done is allow the drive to be set as a "pure" flash device, maybe using an extension to the ATA/SCSI command set. That way, these devices could be managed using traditional flash filesystems. Or something similar... I'm sure ZFS could easily be tweaked to work well on semi-raw flash. It would be nice if we were given the option, at least, to have more control below the emulated-hard-disk layer (and if drives would stop pretending to have 512b sectors, reporting the true sector size or page size to the OS),

  28. Ted Treen
    Happy

    Easy!

    Just give it to an employee of HM Gov't, and it will soon go to the limbo where countless pendrives and similar have gone in recent years, never to be seen again.

  29. Stumpy
    Coat

    Can I just be sensible for a moment...

    And suggest that maybe, the real solution is one that the manufacturers could implement? Surely, all it needs is a jumper on the drive board that instructs the electronics to perform a complete erasure of the flash chips as soon as power is applied ... y'know, like we used to have for wiping BIOS settings on motherboards?

    ... right, I'll get my coat now ...

    ... yes, that's right - it's the sensible, beige mac hanging in the corner.

    1. Ted Treen
      Pint

      Beige Mac?

      You are Sam Spade & I claim my prize...

      1. Chris Miller
        Coat

        You got a light, mac?

        No, but I've got a dark brown overcoat. (Viv Stanshall)

    2. Anonymous Coward
      Anonymous Coward

      You idiot! Here we all were, just about finished with the

      proposals so we can get our own firing ranges and explosives licenses, and you go and spoil it all by suggesting something sensible!

    3. . 3
      Heart

      Absolutely right

      It's sloppiness on the part of the SSD controller firmware that the ATA security erase command does not directly translate to an erase all pages command to each nand flash chip. The operation takes about 3-5 seconds to complete on the nand flashes I'm familiar with and every last bit can be guaranteed to have been reset to a 1 unless it is already worn out, in which case the odd zero in a sea of ones is hardly going to convey meaningful data.

      1. adamsh
        Stop

        Behaviour is correct according to ATA standard

        Have a look at the ATA standard, or at topic 4) in http://forums.theregister.co.uk/post/992361.

        Regards, HA

  30. TakeTheSkyRoad

    Hang on.... serious question here

    Ok so previous posts have established that heat works (eg. thermite) but VERY few people or companies have access to the ability to dispose of drives in such a way.

    So for myself at home how do I wipe/destroy usb drives ?

    Working and non functional since I have a broken drive which my pc no longer reconises but I'd like to "destroy" the data on the chips before I bin it. Any suggestions that don't include specialist chemical supplies, oxy torches or a furnace ?

    I think this is a much bigger issue for home users than corperate !

    1. Anonymous Coward
      Thumb Down

      You are having a giraffe?

      Use your favorite "impact adjustment" device or any "percussive maintainance" tool..

      Or just an effin hammer you plonker...

      1. TakeTheSkyRoad
        WTF?

        Ok, for the flame hungry....

        So hitting something very hard solves all problems mentioned in earlier posts and also destroys data held on the silicon ?

        I'm going to resist a sarky response and simply say that I'm not convinced you do more than bend a few pins and maybe destroy the board the chips are attached to. Yes, you're making like hard for someone but no the data isn't destroyed.

    2. Michael Dunn
      Headmaster

      Thermite

      A Thermite reaction is actually fairly easy to implement iirc - Aluminium powder, Potassium Permanganate and an inch or two of Magnesium ribbon, all available on ebay.

      1. Anonymous Coward
        Anonymous Coward

        Thermite

        You forgot the other main ingredient, iron oxide rust, in plentiful supply.

        It's also good for cracking safes, though not so good for the contents.

  31. Anonymous Coward
    Anonymous Coward

    Ok...

    I spoke to EMC, our disk supplier, about this a couple of months ago, I was curious but not really concerned because we (major UK bank) shred all our disks anyway. The EMC guy said that their arrays self-erase functionallity (as of a certain version in firmware) deal with this on their self erase. However SATA drives have their own self-erase command, this deals with proper erasure. I believe that SAS/SCSI/FC drives will be getting a proper self erase, indeed they may already have one.

  32. Anonymous Coward
    Thumb Up

    A possible solution?

    http://uk.sandisk.com/misc/secure-access

  33. Fuu Baa

    Simple Solution

    Use the same methods which allowed the researchers to recover the data and overwrite it.

    No problem.

    Unlike magnetic media, where heads can take slightly varying paths, leaving trace of previous data, we're dealing with a digital medium.

    Or, as one of the posters said - always encrypt your all drives, without the key they're random data.

  34. Anonymous Coward
    FAIL

    @GrumpyJoe

    If you bothered to read the real paper (http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf) , rather than the Register's Reader's Digest version, you'd know that:

    "First, built-in [sanitation] commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs."

    So much for your "comprehension".

    Thank you for your attention.

  35. Jeff 11
    WTF?

    Insert key here

    "Wiping happens by deleting the encryption keys from what's known as the key store, effectively ensuring that the data will remain encrypted forever."

    That is absolutely NOT wiping the data. That's merely removing the encryption keys! Just because you've lost the keys to the safe doesn't mean the contents of the safe disappear. If someone can extract the data and get the correct encryption key using brute force or exploits in the key's cryptographic algorithm, then they can get the data.

  36. Anonymous Coward
    Happy

    Don't worry someone will come out with a solution

    Like encrypt the whole drive of an uncrypted ssd drive. Also put it a press and just crush it. I have seen flash drive where the chips are cracked and it no worky at all. No dangerous flames, no dangerous gases but wear a gas mask for the dust produced.

  37. This post has been deleted by a moderator

  38. adamsh
    FAIL

    Already discovered a year ago - wiping a flash device need not work

    1) Marko Rogge discovered this effect trying to wipe out an USB stick, a flash device like a SSD. He published his discovery in https://www.xing.com/net/priedb263x/sicherheit/application-layer-bio-crypto-pen-voip-uce-was-19413/verschlusselung-kann-trugerisch-sein-28202781/p0 and published a white paper http://www.marko-rogge.de/truecrypthinweis.pdf.

    2) I was able to verify this effect with older USB sticks and was able to explain this effect due to wear levelling procedures, see https://www.xing.com/net/priedb263x/sicherheit/application-layer-bio-crypto-pen-voip-uce-was-19413/verschlusselung-kann-trugerisch-sein-28202781/28223883/#28223883.

    During research against SSD the ATA command set enlightened the background:

    3) ATA command 0xf3, "security erase unit", requires only overwriting of USER DATA AREAS, cite "....When Normal Erase mode is specified, the SECURITY ERASE UNIT command shall write binary zeroes to all user data areas (as determined by READ NATIVE MAX or READ NATIVE MAX EXT). IDENTIFY DEVICE or IDENTIFY PACKET DEVICE word 89 gives an estimate of the time required to complete the erasure."

    Bingo. They just use their routines for "write sectors" / "erase sectors", writing only to "user data areas" obeying their own wear levelling strategies... See point 2) ;->

    4) "The Enhanced Erase mode is optional" and "In Enhanced Erase mode, all previously written user data shall be overwritten, including sectors that are no longer in use due to reallocation..."

    To make it clear. Only if and if a feature beyond the standard ("optional") has been implemented, AND the device driver checks against a bit pattern and sets it, the ATA-drive might indeed clear all previously written data .....

    5) To summarize it:

    Above mentioned behaviour is correct in the sense of the ATA command set.

    Everyone could have learned it if they read the data sheets and standards.

    Best, Hans Adams

  39. Paul Powell

    Surely it's about appropriate measures?

    Your security is only as good as it's weakest link.

    When I decommission HDDs I wipe the drive with random data, take it apart, score the platters, take them out, dispose of the electronics separately, and then if I don't need a new coaster I use a pair of pliers to bend the platters.

    It's possible that someone could still get data from that drive - but really, how much effort would that be? How much would that cost - just following the tracks round a warped surface that you could never flatten would be bad enough.

    It would, I suggest, be much cheaper and easier to break into my office and steal the HDDs from the running servers, or to hack in.

    On the other hand if you carrying missile plans etc then your office is probably more secure than most. In that case, destroy it. utterly.

    The thing is that most data loss (at least that which we hear about) is due to leaving unencrypted devices on trains or sending CD's through the post, or selling on old PCs without making sure that they are wiped first. Flash drives don't get decommissioned - they get lost.

    All this making sure there are no large chip fragments is rubbish except for the highest grade - if you have broken the devices electronics then you've eliminated all except those that are prepared to solder. If you break each chip then my guess is that you'd need some pretty hefty hardware along with some dedicated boffins and a large payroll to get anything out of it.

    Anyone got an idea of the technique, an approximate price list for the equipment?

    1. ted frater

      Recent destruction work

      Im lucky to have a 275lb drop forging hammer that can fall under gravity about 1 yard some 5 times a minuite. When you stop it dead in say 1/16th in ,

      It delivers some 50 tons of instant energy between 2 hardened steel heads some 5in square. Thats 10 tons a square inch.

      Ok its a minting tool and I can make pound coins on it ,thats not economic, but it is economic to flatten hard drives or SSD's crushing any chip to powder,

      I had 250 verisign terminals to destruct recently. Completely reduced to 1/4in thick. inc all plastics, circuit boards chips etc.

      customer was happy.

      Cost to destroy, £1.00 each .

      time taken 1 hour.

      Get your hard drives or SSD's to me plus payment, work guaranteed.

      Hope this helps.

      .

      1. Michael Dunn
        Headmaster

        5-inch square

        Sorry, 50 tons on a 5-inch square is actually 2 tons per square inch.

  40. Joe User

    Perfect at the target range

    Set the drive about 50 yards out and put a few high-velocity rounds through it. Good luck getting any data off it afterwards (and a great stress reliever, too).

  41. NoneSuch Silver badge
    Thumb Up

    Thermite

    Cheap and effective.

    5 star suggestion.

  42. Keith Doyle
    WTF?

    Jeez...

    It's pretty clear the confusion here is that some are talking about overwriting ALL the files on the disk, where a reformat (as long as it's not "quick") or complete sector overwrite enough times would likely do the job, and others talking about a single file erase, where all unallocated sectors would also have to be overwritten to insure wear levelled copies are hit as well. Wear levelling need not include "extra" space, only the smart reuse of the space you have. Extra space is only necessary if you expect a high failure rate. In any case, a whole filesystem erase is somewhat simpler than a single file erase.

  43. Argus Tuft

    omg

    does this mean the russian mafia could spend thousands to extract the spreadsheet of my shopping expenses for the last month...?

    my life is sooo boring I'd welcome the attention.

    (pps - hydrofluoric acid - just don't get it on you...)

  44. ElReg!comments!Pierre
    Coat

    Looking at it the wrong way

    You're all looking at it the wrong way. You have to look at the bright side, and honestly, the advantages of this property of SSDs out-weight the risk, and by very, very far.

    I don't know how just yet, but just run the same story, altering the title to read "Apple Flash drives dangerously hard to purge of sensitive data", and presto, 3 pages of comments and suggestion proving how good it is and wondering how we could even live with crummy old HDDs unable to retain data after a low-level format.

  45. Russell Howe
    Alert

    ATA secure erase?

    https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

    depends on the drive being sensible, but it might do something useful...

    1. adamsh
      FAIL

      Will NOT work, as it is NOT supposed to work

      Have a look at the ATA standard, or at topic 4) in http://forums.theregister.co.uk/post/992361.

      Regards, HA

  46. Aussie Brusader
    Happy

    Why is this so negative?

    I see this as a fantastic feature as I'm always getting called to 'undelete' photographs of Aunt Mary's 60th birthday. I'll be recommending SSDs to family.

  47. ted frater

    A simpler idea

    Take the SSD and drop it in the footings of your local building site. pour 2ft of concrete over. build house. we all know what adress it at. but youd need to knock the house down to get at it.

    OR, takeit to you local brick works, incorporate in the center of brick. Add to 1000 0thers , fire in kiln .Find it? never!!!

  48. Mike Brown

    wear levelling huh?

    so how do i turn that off? Id love to turn my 32gb memory stick into a 128gb one. I dont care if it only lasts me 10 rewrites, with that much storage on my phone i wouldnt need to add too much to it (music films etc).

    So....how do i hack flash memory to open up all that redundacy?

  49. awk

    Everybody is missing the point...

    Use SSDs that comply to the Trusted Computing Group's OPAL specification for hardware based disk encryption. When decommissioning the drive simply erase the encryption key in the SSD/HD which renders all data useless. Such drives are available from various manufacturers inl. Samsung

  50. Henry Wertz 1 Gold badge

    degaussing and accesibility

    First off, degaussing doesn't work on hard drives either. I worked on data disposal at a university. As drives came in, the size, brand and serial number were scanned into a system and a bar code printed and affixed to the drive. We used 10 PCs which could each handle 4 hard drives, using DBAN to do a DOD wipe. When drives succeeded, they were scanned as wiped, and a "DOD wiped" sticker affixed to the drive. Anything that showed bad sectors or failed to wipe, plus any drives departments indicated were particularly sensitive, were scanned in as "for disposal" and boxed. We'd take them up to a disk destruction facility which removed the platters and melted them down for scrap. While we were on site, the disposal facility would scan in the bar codes and print us a list of serials, so auditors could verify the same drives arrived that left. The auditors didn't know the volume we dealt with, one asked for one months records, I pointed out that would be over 30 pages, so he decided one week would be fine 8-).

    OK back to the point. Degaussing doesn't work on hard disks either! We got a batch of disks, the department stressed they'd degaussed them so we can just throw them out. I figured I'd better verify the effectiveness so I plugged a few in. The first or second I plugged in did some of those "bad sector clunks" but worked, and had plenty of data on it! I ended up testing 8, and 2 out of 8 worked. BTW, some hard drives a 4 pound hammer won't do a thing either -- we had one that we dropped off a second floor, hit with a sledgehammer (much more than 4 pounds) repeatedly from several angles, and ran over with a fork lift. Plugged it in, it sounded like the bearings were shot but it spun up and read!

    As for accesibility -- having unwiped data on a supposedly wiped SSD is serious. But, is there an ATA command to access these spare areas and read out the data on any device, or would it require a device like the "Ming the Merciless" direct flash readout device used in the paper?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020