A New Technique to Quickly Erase Hard Drives 458
RockDoctor writes "Stories about 'wiped' hard drives appearing on eBay (and other channels) and being stuffed with personably-identifiable data are legion; rarer are spy planes having to land on enemy territory, but it happened in 2001 to a US spy plane over an un-declared enemy (China, and that's a topic in itself). Dark Reading reports the development of a technique to securely wipe a hard drive in seconds, and which is safe for flying. (The safe for flying criterion rules out things like fun with packing the drives in thermite. Also thermiting the drives may not erase the platters to the standard required, which is moderately interesting itself."
First question: (Score:5, Insightful)
Why not use flash memory? (Score:5, Insightful)
Or, just encrypt the data with the key in RAM. (Linux can already do this with swap - it's completely transparent to the user, and the key only lasts as long as the system remains running).
the product is stupid (Score:4, Insightful)
The obvious solution: encrypt everything that hits the disk, keep the key in RAM, and overwrite the key when needed.
I'd worry the most about antenna shapes and sizes and various analog circuitry.
Re:Erasing, not Voodoo (Score:3, Insightful)
Of course, the bad sectors that get transparently reallocated leave dead sectors that can probably be recovered and would not be wiped with stock firmware, so it's academic anyway. If you can't take that risk, you have to turn the media inside the drive into molten slag. There's no other way.
Re:First question: (Score:3, Insightful)
Encrypting the harddrive (which it may have been) simply changes the problem from one where you need to destroy the unencrypted information quickly and compleatly to one where you need to destroy the encryption key quickly and compleatly. Destroying the key may or may not be any easier that destroying the data depending on how it is stored. Also, even if the data is encrypted and the key compleatly destroyed, you probably still want do destroy the encrypted data. After all: How sure are you that your enemy hasn't found a way to break your encryption or somehow obtained a copy of the key?
Re:What a crock... (Score:4, Insightful)
Those guys are a laugh riot.
Re:Joe does it (Score:5, Insightful)
Instead of worrying about residual magnetism which can at best be detected by government agencies with extreme funding, people should simply never write unencrypted confidential information anywhere. This also protects you in cases where you didn't schedule the removal of a harddisk, i.e. theft.
Re:First question: (Score:3, Insightful)
Re:Joe does it (Score:3, Insightful)
In term of data on hard disk, there are three circumstances. First, a person may not protect the asset, i.e. not erase the hard disk, and a bored kid then rummages throughthe harddisk. Second, a user may not understand what erase means. There was a time when erase simpley meant change a bit in the file table and mark the space as free. Unerase was then simply a matter of resetting that bit, and then seeing what data as left. Again, the bored kid would unerase and rummage. This has gotten better with the two stage trash can/erase, but can stil be a problem. Both of these are simply solved by a hard disk wipe, as the bored kid will not spend hours with a hard disk, especially when the asset is of no value.
If the asset is of value, all bets are off, and the third case is in effect. If the data is of value, or is incriminating, then the scenario of the parent takes effect. Risk is increased not only because exposure has personal consequences, but there is a specific attacker looking for specific things. In the case of the story, the specific attackers has significant resources to throw at the problem. This was not some bored kid or some local PD on a fishing expedition. Therefore any shortcut trick that did not destroy the integrity of all the data would be insufficient. The attacker has at lesat the resources of the defender. This is the same problem with missle defense. Defense is much more difficult because it must defend against all threats.
So the permamanent magnet seems effective and elegent. It does not require the vaguaries of matching a wipe with specific recording formats. It restores the suface to baseline radomness, perhaps for real. Even normal destruction is often insuffiecent. I once heard a story where to destroy a secret paper one had to burn it, crush the asses, blend it in water, dye it, and who knows what else.
Sounds fishy to me (Score:5, Insightful)
There is a second problem with degaussers: You have to physically remove the disks from their housing. That may take more than minutes.
And there is a third problem with degaussers: You have to very carefully check they work with each device they are to be used on. For example, older degaussers do fine for older disks, but are completely useless for modern ones.
And a 4th problem: Degaussers do not work at all for solid-state disks. Since they are not that uncommon in military application and actually may look the same, that seems to be a serious problem. One that encryption does not have.
I see one advantage for the permanent-magnet solution in military application: It works without power. But if you use the encryption-in-the-cable approach I described above, you can keep the key in a battery-buffered memory chip and erase that securely using the power of the battery (not quite as simple as it sounds, but it is possible to do). All in all, this mainly seems to be a scheme to sell the military something expensive.
correction (Score:3, Insightful)
This is offtopic, although a more interesting topic than "wiping data", but the plane itself was over international waters and never over China's territory.
Also, since when does spying require a declaration of war? The whole point of spying is to aid in deciding-the-need-for or course-of preemptive actions. Given the Chinese government's penchant for secrecy and censorship, it seems fair to want to keep an eye on them. The same point can be made about spying on any other country... everyone knowing what everyone else is doing has a stabalizing affect. All bad decisions are made in fear, which brought on by ignorance, and governments, whose decisions affect millions, need all the tools possible to make correctly informed decisions.
Not in your wildest dreams. (Score:2, Insightful)
Good trade relations with the United States are critical to the party's survival. If western markets became inaccessible and foreign capital fled, growth would falter, internal tensions would mount and the legitimacy of the party would soon be questioned. In any case, a global hyperpower can do just about anything it wants: weaker states must submit to its overwhelming might. And none of these rulers seek justification in your eyes.
Re:First question: (Score:2, Insightful)
At the present level of computing technology, a brute force attack on such a key would take waaaay too much time to be practical, but you have to consider the length of time that you want to keep this data secret, and how much processor speed will improve within that time span.
Damn you Moore!
Note: Yes I know that Moore's law refers to the compexity of integrated circuits, and not their speed.
Re:First question: (Score:5, Insightful)
Heard often, that is an urban myth and nonsense. There is proven secure encryption that is impossible to break, unless the assumption that you can generate secure (i.e. random) keys and some other very simple ones are wrong. ElGamal has this property. Even for less secure ciphers, the statement is untrue. Sure, a single cipher may have weaknesses that may allow a break with high (and often prohibitive) effort. Just use two different ciphers with independen keys and the problem becomes exponentially more difficult since you now need to find a joint vulnerability.
Of course there is a lot of bad encryption on the market, like home-brewed, not peer-reviewed ciphers. Ciphers are also often used in an insecure way, see, e.g., the very good ECB example here: Wikipedia [wikipedia.org]
But the basic problem can be solved. There is just a lot of ignorance.
China?? (Score:5, Insightful)
China may have different attitudes and morals standards than the US, but they are doing many things right as well; more than western media tends to portray (e.g. according to the CIA world factbook [odci.gov] China has a lower percentage of citizens suffering from poverty than the richest country in the world (namely the US)). I don't want to whitewash anything, but reading things like "undeclared enemy" in a tech article on an international website just pisses me off.
China is not an enemy (Score:3, Insightful)
China is not an enemy. We buy a ton of stuff from them. They buy a ton of stuff from us. Our businesses have offices there. Our colleges have exchange programs with them.
Yeah, our diplomatic relations are a little bit strained over things like Taiwan, but we're nowhere near going to war with them. If you're a troll, shame on you. In any case, shame on the Slashdot editors for choosing this ignorant or trolling person's story.
Re:There's powerful and then there's powerful... (Score:2, Insightful)
Re:First question: (Score:5, Insightful)
Given Moore's law, and assuming it holds beyond physical limits, the expression "billions of years" accurately describes the length of time required to brute force a 4096-bit key.
Given the possibility of quantum computing, the only thing you can do is use one-time pads for all your needs, provided you need these things to stay secret for more than the 50-100 years required to develop quantum codebreaking systems.
Now, that solution is quite feasible, but time-consuming. Here's how you'd do it:
1. Have a secure [D]RNG fill a hard drive to capacity. Copy that to the plane's hard drive.
2. Have a filesystem that writes raw data to the disk--you only want one file containing all data that's collected, and that should be append-only.
3. Instead of simply writing data, XOR the block you're writing with the one that's currently on disk.
4. Once you're back on base, another XOR gets your information back.
Re:What a crock... (Score:4, Insightful)
Yes Francis Gary Powers over flew the Soviet Union and was shot down. Never said he didn't
The EP-3 was in international airspace and was rammed by a Chinese fighter.
How is one anything like the other?
BTW according to international law it is illegal to shoot down an aircraft just from intruding into your airspace. There has to be a clear threat involved. Every attempt has to be made to contact the aircraft and to escort the aircraft to a landing field. There is an entire protocol worked out.
Russia did have at least a marginal case that the U-2 was a threat since it was so far in it's airspace and overflying military sites.
Re:you read the article more closely! (Score:2, Insightful)
Re:Joe does it (Score:3, Insightful)
Re:Erasing, not Voodoo (Score:1, Insightful)
Re:China?? (Score:3, Insightful)
Funny, I was sure that was the USA. Clean up your own damn backyard before focusing on other people's problems.
Re:China?? (Score:3, Insightful)
>What's with all this hate mongering against China?
When your spy plane is making an emergency landing because another country's fighter just rammed it, it does take a while to start thinking of that country as a friend again.
Re:RISK of quantum computing taking off (Score:4, Insightful)
The way that one-time-pads work, if "attack at dawn" is a possible result, then so are:
attack at dusk
eat more veges
Where's Waldo?
hoist the sail
What you say!!
Zerowing Rules
Do you get it?
search google.
Cryptonomicon.
This is ending
Game is ending
Fire is ending
Heat is ending
What is ending
Iraq is ending
USAF is ending
It isnt ending
Now, which one was the correct decryption?
The reason a one-time-pad is "completely unbreakable", even resisting brute-force cracking, is that every possible string of length X is a valid decryption result for some key. So without knowing the "correct" key, it is impossible to recover any part of the plaintext. The four character ciphertext "sjrw" could decrypt to any of the following strings, even if you found my working paper and were able to deduce that the first two letters were "go":
golf, gods, gore, gold, gone, gout, goal, goad, goat, gosh, goog, go.., go??
No plaintext has higher probability than any other of being correct...
Re:First question: (Score:3, Insightful)
These problems can be addressed, but a one time pad cannot prevent the problem in the article since it only works for data produced while in flight. It is far more likely that highly classified data is being carried on a plane like this because it is neccessary to complete the mission. In order to access the data you would need to take the key with you and then you're back to square one because the drive containing the key still has to be destroyed in an emergency.
Finally, since the data is so important to the mission, it needs to be stored on media that is resistant to accidental modification. The device described in the article is meant to address the conflict between the robustness needed to survive a mission and the volatility needed to destroy the data in an emergency. This problem also applies to any in-flight encryption technique where a key is needed to read the data. Even if the key is not stored on a hard drive it has to be stored on something that is resistant to accidental loss.
The product sounds ridiculous because no one outside of government is trying to protect their data from an adversary with effectively unlimited resources. The military doesn't have the luxury of assuming their adversary won't take an electron microscope to the drive to recover overwritten data or determine which bits have been switched from their previous state. That's the kind of threat the technique in the article is meant to address.
Re:Joe does it (Score:2, Insightful)