On Tue, May 07, 2002 at 12:15:20AM -0400, Bede McCall wrote: > Essentially, the cost of media destruction is always assumed to be > less than the cost of the consequences of a failure to do so. > Obviously, this model isn't always the right one for a business.
And it is never the right model for the deletion of one file on a disk you are still using. Consider ssh-agent's use of RAM. When you no longer need a key loaded into the agent, the agent overwrites (or tries to) the memory that held that key. This is not good enough to guarantee that the cleartext key will never be recoverable, but what are you going to do? Torch the machine every time you log out? No, you secure the hardware and the OS, but you make leaks even less likely by minimizing the lifetime of cleartext secrets, and by maximizing the effort of recovering them even if an attacker *does* get access to the hardware. If you need better than that, you keep your secrets in tamper-proof or otherwise lower-risk subsystems, and keep them off general-purpose computers. -- David Krikorian <[EMAIL PROTECTED]>, radio: KA1NAP, groups: APO LSC SIPB Grey17 --- Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'. Mail administrative requests to `[EMAIL PROTECTED]'.
