wipe utility

bscott at ntisys.com bscott at ntisys.com
Tue Aug 17 22:03:00 EDT 2004 

  WARNING: This message deals with Information Assurance (IA) topics.  IA is
a harsh field.  There is no room for hurt feelings here.  If you prefer not
to have personal opinions challenged, stop reading now.

On Tue, 17 Aug 2004, at 7:13pm, puissante at lrc.puissante.com wrote:
> All joking aside, the *actual* threat can be hard to assess at times ...

  Absolutely.
 
> ... so one sometimes must make "paranoid" or worst case scenario
> decisions.

  Sure.

> Some minimal approaches such as not using journaled filesystems on
> sensitive data may not be perfect, but at least I sleep a bit better at
> night.

  Here's where I think you're going wrong.

  I think all you're buying yourself a false sense of security.

  First, there's comparative vulnerability assessment.  Of all the things one
could worry about, worrying about data being recovered from a filesystem
journal is a bit like worrying about the lock on a medicine cabinet on the
Titanic.

  Information assurance also includes more then just confidentiality;  
availability and integrity is also key.  Journaling filesystems help
protect that.

  Most important of all, in order to make use of data in a filesystem
journal, you basically need to assume the attacker has achieved full root
compromise of your system.  At that point, you're pretty much fscked, no
matter what.  They could just as easily modify your kernel to divert a copy
of everything you do to their system, with you none the wiser.

  So, sure, if it gives you a warm fuzzy, go right ahead with the
"non-journaling filesystems are safer" idea.  Wear a tin-foil hat, too.  
You never know -- there might really *be* secret government mind-control
satellites.  :-)

> If I were really serious, I'd set up an encrypted partition with a running
> cron job that expected a response from me every so often, and if it didn't
> get that it would shred the partition along with the private keys.

  If you were really serious, you would start by never connecting a system
containing sensitive information to a public network like the Internet.  
You physically secure the whole computer.  It's called "system high".

  Another valid technique is to encrypt data using a long asymmetric key
kept on removable media, and protected with a strong pass-phrase.  
Decryption is to volatile storage only (i.e., RAM).  This achieves much
better confidentiality then any automated system that has access to the
secret keys, and also achieves much better availability, as forgetting to
reset the deadman timer won't destroy anything.

  Deadman timers are usually a sign of an amateur.  Real systems are secure
regardless of how long they sit idle.

> Some hard drives, btw, do come with their own security shredding abilities
> built in.

  I haven't seen that.  I'm interested.  Got any links?

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |

More information about the gnhlug-discuss mailing list