Working up an appetite for destruction

Data disposal without tears


Crush, Kill, Destroy

When it comes to deciding what data you should jettison, I'm going to have to leave that up to you and your legal counsel (did I mention that I'm not a lawyer?). Basically, if you're not legally obligated to keep it, and there's no real technical reason, I'd encourage you to get rid of it. Erase it, and make sure that you remove the backups as well. If you're really going to destroy data, then make sure you get all of it, which of course leads to another important consideration: where is the data we want to get rid of stored?

One of the most obvious locations of data that should be removed is the hard drive. Unfortunately, this is also where a lot of mistakes are made. Simson Garfinkel recently published a fascinating and revealing article titled "Remembrance of Data Passed: A Study of Disk Sanitization Practices" (882 kb PDF) that every security pro should read. Garfinkel and his associate acquired more than 150 hard drives from eBay and offline sales, many of which were supposed "erased". They were able to recover data from 64 per cent of the drives. Some of the data they recovered included:

  • 3,722 credit card numbers
  • Bank account numbers, access dates, account balances, and even ATM software from a hard drive used in an ATM machine in Illinois
  • Memos about corporate personnel issues
  • Email messages
  • Pornography

Garfinkel's larger point in his article is that merely formatting or fdisking a drive really does very little (in fact, fdisk only overwrites about 0.01 per cent of the drive's sectors). Data is still easily recoverable. To really erase the contents of a drive, sanitization software is required. Fortunately, there is some very good, very inexpensive (or even free) software available that can take care of this problem, no matter if you're using Windows, Mac OS, or *nix. Garfinkel recommends some software, but you can easily find other lists elsewhere.

Keep in mind that the software above will truly erase a drive, but still leave it usable. If you really want to make sure that data from a drive can't be recovered, and you want to work out your frustrations, then get a ball-peen hammer and beat the hell out of that drive until it's in pieces. Ain't no recovering that data.

Of course, you need to worry about more than just hard drives. What about USB drives? Palms and Pocket PCs? Cell phones? Laptops used by employees? Backup tapes, CDs, and DVDs? Routers? All these devices have the ability to store data on them that you may want to wipe. Heck, even the Furby - a talking doll - was a problem for the NSA a few years ago. All of these devices need to be covered by your policy, since any of them could be requested in a lawsuit.


Other stories you might like

  • Infosys skips government meeting – and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India's Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a "technical glitch" that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading
  • GNU Compiler Collection adds support for China's LoongArch CPU family
    MIPS...ish is on the march in the Middle Kingdom

    Version 12.1 of the GNU Compiler Collection (GCC) was released this month, and among its many changes is support for China's LoongArch processor architecture.

    The announcement of the release is here; the LoongArch port was accepted as recently as March.

    China's Academy of Sciences developed a family of MIPS-compatible microprocessors in the early 2000s. In 2010 the tech was spun out into a company callled Loongson Technology which today markets silicon under the brand "Godson". The company bills itself as working to develop technology that secures China and underpins its ability to innovate, a reflection of Beijing's believe that home-grown CPU architectures are critical to the nation's future.

    Continue reading

Biting the hand that feeds IT © 1998–2022