wipe utility

Fred puissante at lrc.puissante.com
Wed Aug 18 02:08:01 EDT 2004


On Tue, 2004-08-17 at 21:58, bscott at ntisys.com wrote:
>   WARNING: This message deals with Information Assurance (IA) topics.  IA is
> a harsh field.  There is no room for hurt feelings here.  If you prefer not
> to have personal opinions challenged, stop reading now.

I've got VERY thick skin. :-)

> > Some minimal approaches such as not using journaled filesystems on
> > sensitive data may not be perfect, but at least I sleep a bit better at
> > night.
> 
>   Here's where I think you're going wrong.
> 
>   I think all you're buying yourself a false sense of security.

I knew you were going to say that!

>   First, there's comparative vulnerability assessment.  Of all the things one
> could worry about, worrying about data being recovered from a filesystem
> journal is a bit like worrying about the lock on a medicine cabinet on the
> Titanic.

I have not let on to all my concerns. I do have a highly specific
scenario in mind.

>   Information assurance also includes more then just confidentiality;  
> availability and integrity is also key.  Journaling filesystems help
> protect that.

It's a strange situation. The type of information I want to store
securely -- old private emails, say -- I would not care as much if they
were lost to a hard drive crash as I would if they were to fall into the
wrong hands.

>   Most important of all, in order to make use of data in a filesystem
> journal, you basically need to assume the attacker has achieved full root
> compromise of your system.  At that point, you're pretty much fscked, no
> matter what.  They could just as easily modify your kernel to divert a copy
> of everything you do to their system, with you none the wiser.

I assume the attacker has physical access to my system. What if someone
were to break into my house while I'm on a long cruise somewhere and
steal the hard drives?

>   So, sure, if it gives you a warm fuzzy, go right ahead with the
> "non-journaling filesystems are safer" idea.  Wear a tin-foil hat, too.  
> You never know -- there might really *be* secret government mind-control
> satellites.  :-)

I'm not that nuts, but I do have some practical concerns, even if they
are on the edge of paranoia.

> > If I were really serious, I'd set up an encrypted partition with a running
> > cron job that expected a response from me every so often, and if it didn't
> > get that it would shred the partition along with the private keys.
> 
>   If you were really serious, you would start by never connecting a system
> containing sensitive information to a public network like the Internet.  
> You physically secure the whole computer.  It's called "system high".

True, but since the data I wish to protect are "old email archives" (not
really, but let's say) -- something I want available online locally when
I need them, but do not want falling into the wrong hands, I do need to
have a connection to the Internet.

>   Another valid technique is to encrypt data using a long asymmetric key
> kept on removable media, and protected with a strong pass-phrase.  
> Decryption is to volatile storage only (i.e., RAM).  This achieves much
> better confidentiality then any automated system that has access to the
> secret keys, and also achieves much better availability, as forgetting to
> reset the deadman timer won't destroy anything.

>   Deadman timers are usually a sign of an amateur.  Real systems are secure
> regardless of how long they sit idle.

How does one secure a system from surprise physical attack? The "old
emails", say from peace action correspondence, might be seen as a target
by, say, a paranoid group of vigilantes who see "terrorism" in every
corner, and may be so bold as to break into a house to steal what they
think is information they can use against the activists. I know they
won't break in while I'm home, but they might if I'm away and get stuck
in an emergency. 

The real solution to this would be to keep everything encrypted with the
keys off-site as you suggested, but that's a bit overkill for the type
of data I'm referring to. Also, I suppose I could build a concrete
bunker in my home to discourage a physical attack, but that's a bit
overkill, too. The data is of "low" importance but "high" sensitivity.

I'll have to think about it some more.

> > Some hard drives, btw, do come with their own security shredding abilities
> > built in.
> 
>   I haven't seen that.  I'm interested.  Got any links?

No links, but I noticed this information on some of my drives while play
around with hdparm.

Here's the security info when I get with hdparm -I /dev/hda on my
system:

Security:
        Master password revision code = 65534
                supported
        not     enabled
        not     locked
                frozen
        not     expired: security count
                supported: enhanced erase
        40min for SECURITY ERASE UNIT. 40min for ENHANCED SECURITY ERASE
UNIT.

Interesting, huh? /dev/hdb on my system doesn't have these security
features. Nor do I recall seeing anything mentioned about security
features in the docs when I purchased this particular drive.

I will say this to all: be VERY careful with hdparm, as you could wipe
out your drive if you type the wrong thing. You can use it to experiment
with the settings of your hard drive for performance improvements, and
it has non-destructive performance tests built in. Just read the man
pages WELL before experimenting. And of course it goes without saying to
have backups.

On a side note -- I had a drive go bad on me in a weird way once -- DMA
had gotten *really slow*, so slow it was actually faster to turn DMA
off. It impacted performance of my workstation greatly, making the 1.5
GHz Pentium apparently perform no better than a 386. Hdparm allowed me
to pinpoint the problem drive and the exact problem with it. So, went
out and purchased a new drive, and now my system screams again with
speed.

I hate it when hardware failures start looking like software problems.
First my hard drive and then the network card.

-- 
Fred -- fred at lrc.puissante.com -- place "[hey]" in your subject.
There are inflows and outflows -- and you're just a little node.





More information about the gnhlug-discuss mailing list