Re: Destroying confidential information from database

2009-05-02 Thread Peter Gutmann
Sandy Harris sandyinch...@gmail.com writes:

Yes, but that paper is over ten years old. In the meanwhile, disk designs and
perhaps encoding schemes have changed, journaling file systems have become
much more common and, for all I know the attack technology may have changed
too.

It's nearly fifteen years old (it was written in 1995, when the very first
PRML drives were just starting to appear, there's a reference in there to a
Quantum whitepaper published the same year) and refers to technology from the
early 1990s (and leftover stuff from the late 1980s, which was still around at
the time).  I've had an epilogue attached to the paper for, oh, at least ten
of those fifteen years saying:

  In the time since this paper was published, some people have treated the 35-
  pass overwrite technique described in it more as a kind of voodoo
  incantation to banish evil spirits than the result of a technical analysis
  of drive encoding techniques.  As a result, they advocate applying the
  voodoo to PRML and EPRML drives even though it will have no more effect than
  a simple scrubbing with random data.  In fact performing the full 35-pass
  overwrite is pointless for any drive since it targets a blend of scenarios
  involving all types of (normally-used) encoding technology, which covers
  everything back to 30+-year-old MFM methods (if you don't understand that
  statement, re-read the paper).  If you're using a drive which uses encoding
  technology X, you only need to perform the passes specific to X, and you
  never need to perform all 35 passes.  For any modern PRML/EPRML drive, a few
  passes of random scrubbing is the best you can do.  As the paper says, A
  good scrubbing with random data will do about as well as can be expected.
  This was true in 1996, and is still true now.

  Looking at this from the other point of view, with the ever-increasing data
  density on disk platters and a corresponding reduction in feature size and
  use of exotic techniques to record data on the medium, it's unlikely that
  anything can be recovered from any recent drive except perhaps a single
  level via basic error-cancelling techniques.  In particular the drives in
  use at the time that this paper was originally written have mostly fallen
  out of use, so the methods that applied specifically to the older, lower-
  density technology don't apply any more.  Conversely, with modern high-
  density drives, even if you've got 10KB of sensitive data on a drive and
  can't erase it with 100% certainty, the chances of an adversary being able
  to find the erased traces of that 10KB in 80GB of other erased traces are
  close to zero.

(the second paragraph is slightly newer than the first one).  The reason why I
haven't updated the paper is that there really isn't much more to say than
what's in those two paragraphs, EPRML and perpendicular recording are nothing
like the technology that the paper discusses, for these more modern techniques
a good scrubbing is about the best you can do, and you have to balance the
amount of effort you're prepared to expend with the likelihood of anyone even
trying to pull 10kB of data from a (well, at the time 80GB was the largest
drive, today 1TB) drive.  I made the paper as forward-looking as I could with
the information available at the time (i.e. projection to PRML/EPRML read
channels and so on in the original paper), but didn't realise that people
would skip that bit and just religiously quote the same old stuff fifteen
years later.

(I've been working on a talk on Defending where the Attacker Isn't where I
look at this sort of thing, in some areas like password best practices this
phenomenon is even more pronounced because organisations are religiously
following best practices designed to defend shared mainframes connected to
029 keypunches and model 33 teletypes, I hope the data erasure thing doesn't
follow the same lifecycle :-).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Destroying confidential information from database

2009-04-30 Thread Mads


I know of procedures and programs to erase files securely from disks, 
Guttman did a paper on that


What I don't know is how to securely erase information from a database.

I cannot assume that the vendor solves this matter, anyone have a clue?

Regards,

Mads Rasmussen

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


RE: Destroying confidential information from database

2009-04-30 Thread ian.farquhar
 What I don't know is how to securely erase information from a
database.

 I cannot assume that the vendor solves this matter, anyone have a
clue?

I'd say your assumption is valid.  This is not to disrespect the
database vendors, but to point out that their risk modelling is
generally significantly looser than that which would be accepted by
someone who worries about secure data erasure on storage media.

I'd strongly suggest erasing the disk on which the database is stored,
using whatever mechanism meets your security needs (ie. From a DoD
secure erase right up to the full physical destruction of the media).

Also consider erasure of any areas of the disk where data might have
been cached, including but not limited to working tables and swap.

Ian.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Destroying confidential information from database

2009-04-30 Thread Sandy Harris
On Mon, Mar 9, 2009 at 10:32 PM, Mads m...@lsitec.org.br wrote:

 I know of procedures and programs to erase files securely from disks,
 Guttman did a paper on that

Yes, but that paper is over ten years old. In the meanwhile, disk
designs and perhaps encoding schemes have changed, journaling
file systems have become much more common and, for all I
know the attack technology may have changed too.

Is there a more recent analysis or is Guttman still the
best reference?

-- 
Sandy Harris,
Quanzhou, Fujian, China

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Destroying confidential information from database

2009-04-30 Thread james hughes


On Mar 9, 2009, at 10:32 PM, Mads wrote:



I know of procedures and programs to erase files securely from  
disks, Guttman did a paper on that


What I don't know is how to securely erase information from a  
database.


If the material is that sensitive, and you only want to selectively  
delete the information, the only way is to:


1) delete the information from the database using the commercial means,
2) export the database
3) Inspect the exported data to ensure all the sensitive information  
is deleted

4) import the database to another storage system.
5) destroy (degauss, wipe) the original storage system.
6) the truly paranoid would destroy the raid controllers also (since  
it contains NVRAM)


Not trivial...

Jim

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com