Sender: Tim Scanlon <•••@••.•••>
What follows are in depth, serious directions on how
to be totaly sure your data is cleaned off of your
system if you are making the choice to wipe the data
out. The standards I describe deal with the state of the
art, and adeqate precautions under all circumstances.
I evaluate trusted systems, security policy, and procedures
for a living, and I am disseminating this information
to the list as a professional cortesy.
I have tried to leave them as non-tecnical as possible
while still dealing with the relivant standards and
technology.
Most of the repondents to this question have been fairly
correct procedure wise. U.S. Govt. standards do specify
about 5 differential wipes all told. However you should
be cautioned that even that will not completly & utterly
get rid of stuff. You should actually use DOUBLE that
amount of wipe cycles (10 all told, which is about 1 extra.)
On top of that if you are wiping an entire disk, to do the job
correctly and safely (safe for you). You should low level
format the disk at least twice, and preferably 3 times in
the cycle of wipes. This assumes booting from Floppy (dos/mac/unix)
or from a CD-Rom (unix mostly) or some other device that is not
the media you're cleaning.
If you do the above [i.e. 3 wipes, LL format, 3 wipes, LL format, 3 wipes,
LL format] you can be assured that for all intensive purposes your
data will be utterly gone. The Low Level procedure is an important
part of this. This is diffrent from the DOS "C:DOSformat C: "
type format in that it's a media preparation format. It's important
to do for allot of technical reason which have to do with
disk geometry & the like.
The more technical amongst you may be saying to yourself "what is he talking
about, why would I need to do that much blah blah." Trust me, these are
resonable precatuions. I am not going to go into why, how, where, and
who issues at all on this one, becasue while the answers are somewhat
varied, & would require all of the above catagories, it simply would
not be an appropriate subject to delve into. [don't ask in email either
unless you have a demonstrable need to know. I deal with these issues
for a living, and am bound by some ethical considerations as well in
this.]
Naturaly wiping file space is less secure. If you are going to do that,
I reccomend a procedure where you first wipe the file itself, then
wipe all the free space, then reoptimize the filesystem (use a defragment
utility such as the ones found in nortons), then wipe it again.
If you are on a Unix system, the use of the mkfile (8) command can
serve nearly the same purpose. With some reseach, you can find
products that will allow you to wipe disks & file areas on
Unix systems to all of the DOD standards.
If you are a MS-Windows user, DO NOT neglect to do the same for
the windows "swap" file. This goes for all "swap" areas on any
system, but some are harder to get at than others, both in
data retrival and in destruction. On unix systems useing
and releasing allot of virtual memory can do the job, as well
as rebooting them. (be creative and understand "garbage collection"
routines are pretty complex puppies that can work for or against you.)
The best solution above all is to use encryption! Get PGP and learn
how to use it if you don't. If you have it and don't use it, shame
on you, get in the habit of using it. Many people fear that they
will "lose their keys" and don't use it as much as they should
becasue of that. Get floppies and back your keys up on at least
2 of them and you will be ok.
Why do all this? Why would anyone do all this if they "had nothing
to hide". Well, we all have a right to privacy, and in the US
we have a serious right to privacy, that may or may not be honored
depending on the "war on crime" and who's trying to score points
politicly. (One of the reasons IMHO district attorney's shouldn't
be elected officals) No one is going to protect your privacy but
yourself. You can't count on politicians to do it, and you certainly
can NOT count on Law Enforcement Organizations to do it right now.
That leaves YOU. I realize I may be preaching to the choir here,
but it's easy to neglect actually putting your rights into
practice if you concentrate soley on the issues in an academic
manner. And that's something that obviously IS an issue on this
list.
Tim Scanlon
________________________________________________________________
•••@••.••• (NeXTmail, MIME) Tim Scanlon
•••@••.••• (PGP key aval.) crypto is good
Digital Encryption Systems Inc. I own my own words
~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~
Posted by -- Andrew Oram -- •••@••.••• -- Cambridge, Mass., USA
Moderator: CYBER-RIGHTS (CPSR)
World Wide Web:
http://jasper.ora.com/andyo/cyber-rights/cyber-rights.html
http://www.cs.virginia.edu/~hwh6k/public/cyber-rights.html
FTP:
ftp://jasper.ora.com/pub/andyo/cyber-rights
You are encouraged to forward and cross-post messages and online materials,
pursuant to any contained copyright & redistribution restrictions.
~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~
