Surprised it doesn't mention compliance frameworks as a culprit. NIST 800-88 calls for destruction if the data is highly sensitive and the drive is leaving the organization. Wrt risk management, it's not worth deviating from NIST.
I faced this same problem. My company policy required destruction of data before drives can leave the colo. I even had a hydraulic drive crusher in the cage to crush failed drives.
However. The Linux utility shred can do a multi-pass random rewrite followed by zeros. (That last is critical for the next step)
Then to verify, grab a random block and sum the data. If it’s not zero you crush the disk.
Bake that script into a NetBoot image, wipe the boot drive’s boot blocks and reboot.
I decommissioned about $5M worth of servers while preserving the disks. This preserved the hardware for reuse.
If you want to be sure send a random selection of the wiped drives to your data recovery team. They won’t be able to get anything back.
I always understood reserve storage to be one of the main concerns. Your disk might have decommissioned some sectors / flash cells without wiping(or being able to) wipe it.
The data you can pull if you bypass the drive controller e.g. by flashing custom firmware or desoldering flash chips is probably not zero.
This is the big one. I doubt anyone has any actual ability to recover anything usable from such drives, but the principle works and therefore to the grinder it goes.
Modern flash devices are supposed to be able to prevent this, the protocol has allowances for it, but I think the risk of stray data remaining on such drives is actually much higher than on HDDs, because there are a lot more relocations in SSDs than on spinning rust, and because you absolutely cannot trust the typical drive firmware to implement any of the parts of the spec that are not required for booting windows, even on supposed "enterprise" drives.
Minor nitpick: Data recovery team are not magicians, can also be lazy. And hacking techniques keep improving, so I'd never re-sell a drive that previously had highly valuable data.
I've heard from someone with a security clearance the DoD doesn't have an established and approved protocol for destruction, so in the meantime the drives are simply warehoused.
> The irony is that shredding devices is relatively risky today. The latest drives have 500,000 tracks of data per square inch. A sophisticated data recovery person could take a piece as small as 3mm and read the data off it, Mr Hands says.
I call bullshit on this, unless you can show me a single example of this ever happening anywhere.
Don't forget that sensitive data is encrypted. The only thing harder than breaking bitlocker on a hard drive is breaking bitlocker on a random 0.5% chunk of hard drive unaligned with the r/w tracks.
Degaussers don’t work period. I’ve heard the theory that The hard drive case functions as a faraday cage. Whatever the cause the evednce backed method is best. Grab a random selection of drives out of your degausser output tray. You’ll be able to get data off of all of them. Some may even boot. (The above led to our company buying a bunch of crushers)
Don't HDD's come with encryption per default nowadays? I.e. the 1's and 0's on the platter go through a layer of decryption that happens on the logic board of disk, before it travels through the SATA cable. And vice-versa when writing.
There's an ATA command to protect the encryption key with a password (and you'll be asked on boot for the password), but if the password isn't set, there's still an encryption key. Just make that irretrievable and the information is theoretically irretrievable.
But yeah, funny how superstitions still control the world and people still say "The HDD needs to be shredded so we're absolutely sure!"
Not in normal circumstances, but maybe in high profile ones. I imagine they would have tried to do something if they found, for example, hard drive fragments that Snowden possessed. If not for real purposes, perhaps to demonstrate they tried everything.
Plus, wouldn’t you expect paranoid orgs to overwrite with zeros/random or crypto-shred the data before physically shredding the device?
It does seem far fetched that someone would go to the trouble of putting a 3mm chunk of platter on a testbed only to most likely recover something that may as well be random noise.
Its why people don't worry about Apple and Privacy/Security. They arent the best in the business, but unless you are a VIP, no one is going to waste the latest 0click pegasus exploit on you.
There have been multiple challenges on hard drives with substantial reward offered for anyone able to take a basic formatted drive with a few MB of files that were overwritten with 0s and recovering the files. Not once did any company accept the challenge let alone complete it. Every data recovery company would tell you that is not possible.
Today we have secure erase which is necessary to clear SSDs and I doubt there is any actual technology to recover from thia mechanism. A lot of hysteria has been shown around drive clearing in the standards and until the standards reflect the reality of what is really possible and what is really sufficient I can not see companies changing.
Secure erase works well. Every other process we have around it has too much room for human error to creep in. From misconfigured drive encryption to a hdd making it to the erased pile without being erased.
Just shred it. You can't mistake a shredded drive for a non shredded drive. The margin for human error is much smaller.
> Today we have secure erase which is necessary to clear SSDs and I doubt there is any actual technology to recover from thia mechanism.
You might doubt it, but you also cannot provide much evidence against it. Trim commands just tell the controller to erase data – what they actually do internally isn't easy to discover without a major operation and internal knowledge.
The best bet is not trusting the drives at all, perhaps by storing only encrypted data, then throwing away the key.
1. Nuke the key and an encrypted drive is indistinguishable from noise.
1a. When SAN sizes get STUPIDLY LARGE, miltiple writes are cost and energy prohibitive, crushing is cheap, cert revocation is cheaper and leaves a device with residual value.
2. In the datacenter, data at rest is not a target, the attack happens higher up the stack where the OS/SQL/App can read the data
3. Areal density is such that a drive in a RAID array doesn't have much to offer up*
(* = I'm willing to lose #3 if #1 is utilized.)
But there's always some mouthbreather n00b or auditor or person that took a forensics class once that stands in the way.
If I can store drive encryption keys on a HSM in my old, consumer grade laptop, I would hope that large storage systems have at least the same degree of protection.
If I understand it correctly, the HSM on the HDD dying is about as likely as a HDD PCB failure. Of course in these scenarios you can't just swap the PCB's to recover the data, but in an Enterprise setting you would have mitigated this anyways, by using a form of redundant storage. If you rely on just one drive for your data's continued existence, you're doomed anyways.
I'm going to trust the storage manufacturers when they offer a secure erase function that it whole disk encrypts, and secure erase removed the decrypt keys everywhere they exist. It's a conversation you have when you establish the vendor, and they're the ones that own the risk (fiancial, reputational, etc) if it turns out the key is stored in plain text on ring 0, sector 0, disk 0 and someone talks about it at Defcon.
The point is: I'm tired of 'well what if?'...that comes up EVERY time there's a question about data destruction....'we should shred it "just to be sure"' is stupid.
>"You don't need an engineering degree to understand that's a bad thing," says Jonmichael Hands.
Someone without an engineering degree will say it's a bad thing because it seems like pointless waste. Someone with an engineering degree will tell you of reasons why it should be done.
Last year Morgan Stanley got rid of old computers without wiping them, they were auctioned by the moving company, and it ended up costing Morgan Stanley $35 million in fines.
This article mentions disposing of hard drives that have reached their five-year mark and are no longer under warranty.
Does anybody actually want hard drives this old? Isn't the whole point that the risk of failure and therefore data loss is too high by this point? Even if you're using them to store data redundantly, you're running the risk that when one drive fails, the backup will also encounter failure due to the stress of reading its entire contents at once in the attempt to create a new backup.
> Even if you're using them to store data redundantly, you're running the risk that when one drive fails, the backup will also encounter failure due to the stress of reading its entire contents at once in the attempt to create a new backup.
There are RAID levels with N+2 redundancy, or more with some of the fancy stuff.
You're also getting stats from Backblaze, which have the hard drives in a server, constantly powered on, under significant load. A drive that was sitting on a shelf isn't going to be less reliable just because the manufacture date is three years ago and the warranty has expired. A ten year old drive can have the same number of power on hours as a one year old drive.
Moreover, sometimes the data isn't unique. If you need a drive to host a mirror for some Linux distro it's not like you're hosting the only copy in the world.
And if the data is critical, you need better than RAID regardless. What's your plan if a voltage spike takes out multiple drives in the same machine at once? Lightning doesn't care how old your drives are.
I work somewhere that specialises in secondhand enterprise equipment and storage. The answer to your first question is "yes, but they really shouldn't". We're burning more hours than we can spare dealing with drive failures. Sure, we have RAID arrays capable of withstanding multiple failures, but we still find ourselves scrambling to replace drives faster than they're failing, even when they were tested before they were put in the spare pile.
Also, fuck Chia. It was supposed to be a low-power "proof of storage", but it's really "proof of prior work" and burns even more energy than proof of work since you need to constantly power the cryptographic calculations AND storage.
> Does anybody actually want hard drives this old?
Sure, I would! I frequently use hard drives much older than this, and while I know there's an increased risk of failure, it has never happened to me -- so that risk appears to be quite tiny.
I'm not questioning those statistics, really. Nonetheless I'll continue to go with my own experience on this. I typically have hard drives in use for 7-10 years or so before replacing them for something with higher capacity. This has never caused any issue. And when I replace a hard drive, I keep the old one in storage as an extra backup. I've copied data off of 20+ year old drives from storage without a problem before (although that's a bit different than using them daily).
In any case, should a hard drive fail, it's not of great significance because of redundancy and backups. Also, spinning platter drives usually give plenty of warning of impending failures.
If you have a good plan to recover from failures and you regularly monitor for pre-failure indicators, that the warranty expired shouldn't be a reason to drop the drives.
A hard drive being in warranty or not doesn't indicate much about its likelyhood of working. There's a market for 5 year old hard drives that seem to be working, and at the same time, if you have budget, replacing your hard drives every 5 years will likely get you decent incremental capacity increases.
The bathtub curve is real, but it's hard to know where it is for a given model and production date. My personal experience is that hard drives often continue working past their warranty date, so I'd guess the other end of the bathtub is closer to ten years than five. I've run server fleets with a few thousand drives, and didn't find the other end of the curve because five year old drives are both out of warranty and relatively low capacity; we would retire systems with old drives because a new system would have much more capacity, rather than because the drives were old, but we still didn't run too many old drives.
> Also drives can start building up bad sectors that you cannot write to, but may be able to read data from.
Bad sectors are a pre-failure indicator. It's totally reasonable to stop using drives when they collect enough bad sectors. My threshold is 10 for drives you don't regularly monitor and can't easily replace, and 100 for drives with automated monitoring and simple replacement procedures.
I wasn't ever able to figure out reliable pre-failure indicators for ssds. In my experience they work nearly perfectly, until they disappear, never to respond to commands again. Thankfully, at a much lower rate of failure (per drive) than mechanical disks.
With 6-8 drives in RAID 6, that's a vanishingly small probability which you should have an offline/remote backup to make sure would not be a disaster anyway. If there were a super-cheap source of five year-old drives, I'd never use anything newer.
Cryptographic encryption is safe for as long as your crypto is secure.
For any company dealing with sensitive data, relaying on it to resell seems like a horrible idea. It’s not hard to imagine sufficiently motivated attacker (likely state sponsored) just buying up drives and waiting few years for when they can easily break the encryption.
> just buying up drives and waiting few years for when they can easily break the encryption.
"Few years" ... "easily" ... yeah, nope.
I'm pretty sure that even 15 year old luks/truecrypt/bitlocker setups are not "easy" to break today, and have very little reason to suspect that current day cryptosystems would be any more likely to get broken in "few years"
You do know that state sponsored actors are already archiving encrypted traffic that they were able to tap into, between nodes of interest for them, with the same purpose, of trying to decrypt it later?
"Easily" means very different thing if you talk about script kiddies vs state sponsored actors.
State sponsored actors are not magic. Basic crypto primitives and systems that have been already available for long time have proven to be robust against even the most well-resourced attackers. Everything we've seen so far indicates that generally attacks happen by running malware, exploiting opsec failures, or some such leaks/implementation faults, and not attacking cryptosystems directly.
Furthermore this scenario relevant for this thread, decrypting discarded hard drives, has very limited opportunities for complex attacks such as evil maids, cold boots, or other such more active methods.
Notably Snowden said following, and while no doubt some progress has been made since I believe the basic idea be still valid:
> “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
From a risk management perspective, most storage devices have a "table stakes" requirement to "not lose data". Performance, storage duration, reliability, etc, etc, etc, etc, are all secondary to "do not lose data". You're dead in the water if you lose data. Everything beyond "don't lose data" can and is proprietary implementations of read/write; often with tricks being used to increase speed.
While it's challenging (if not impossible) to recover data from most "blanked out" drives, there is often no guarantee that a blanking process actually renders the underlying data unusable. For example, I believe many SSDs will simply mark a block as "unused" rather than physically rewriting the data in that block. When the block gets used again, you simply set it to the new values.
Whether it's practical, right now, to recover data really doesn't matter. These drives are leaving an organization forever. You will have absolutely no control over them. If a technique comes out to recover data from them, you cannot risk having drives floating around that are now recoverable.
> For example, I believe many SSDs will simply mark a block as "unused" rather than physically rewriting the data in that block. When the block gets used again, you simply set it to the new values.
Most SSDs (everything that follows the OPAL standard) actually encrypt all data all the time, and support a "secure erase" mode that destroys the encryption key from the TPM and renders the data inert. Copy the flash chips to your heart's content, if you believe the premise of encryption then it'll be a couple million years before you have any chance of cracking the key.
There's no reason this can't also be used on hard drives - or via a higher-level solution like Bitlocker. Again, if you believe in the idea of Bitlocker, then if you lose (or destroy) the key the data is unusable, that's the entire sales pitch of Bitlocker. Drive data is completely inaccessible if removed from their PC and the TPM it contains, and people don't like this because Windows 11 is turning this on by default now.
Physically crushing a drive is needless and wasteful unless you fundamentally disagree that cryptography exists and can work. And it also completely eliminates the possibility that your e-waste vendor is screwing you around behind your back. Fine, have a bunch of white-noise data if you like.
The problem is that businesses like to reduce a 1-in-a-trillion chance to zero, and they're punished if something does happen. And I'm sure hard drive companies like the extra sales and probably nudge them into it too. But it's overall a market failure and a needless e-waste stream, of the kind that the EU does like to eliminate.
I understand that. I'm over simplifying some things.
At the end of the day, physically destroying something is clear and easily understandable to absolutely anyone who is put in charge of device disposal. No conditionals, no complex configurations. Take the hard drive out and destroy it.
Now why don't these companies keep the drives in-house instead of destroying? That, I don't know.
But aside that, regarding the encryption... If you used the drive without encryption at any time, then its possible to recover the unencrypted data. You'd need to guarantee that your drives were *always* used with encryption from the start to end. And that's a hard guarantee.
So yeah, if they were leaving the org, I'd destroy them too.
I don’t think that’s how it works. With these drives the AES encryption is always being done by dedicated hardware on the drive, but by default the key is just a random value stored in NVRAM.
When you do a “secure erase”, the drive will internally regenerate a new key and overwrite it in its NVRAM. Crucially, the algorithm must be securely random and the old key must be reliably overwritten. But if those conditions are met - presto! Everything on the drive that was written with the old key is now unreadable and entirely unrecoverable.
If you actually want to “lock” the drive, the key would be generated by a KDF from the password, the one saved in NVRAM would not be used.
It’s more complicated than that, if you want to support enabling a password without wiping the drive. That would involve encrypting/decrypting a stored key with the password. But either way you can definitely secure erase a modern unlocked drive, if you trust the implementation!
Ah, you have never been on the IT side of any shop have you? The risks to keep running said hardware, or performance, or storage space, or power consumption or whatever are too high so you aren't going to be using it. So you decom it and do what, stick it in a closet?
Decommissioned hardware that is put in storage inevitably walks home with an enterprising employee to whom the risks from the business perspective are simply not a factor.
>hardware, or performance, or storage space, or power consumption or whatever are too high
I just upgraded my 10 year old laptop because I wanted to do AI Art locally.
I ran video games, CAD, cellphone emulators, my programs, etc... on this computer and it still works. Heck, I still use it in a different room now.
Its not the 2000s anymore, we don't need tons of processing power to open web browsers and M$ Office. Decommissioning could be a rare event in the future.
A typical office laptop is pretty useless after about five years.
Even if the standard consumer stuff works fine, all the annoying enterprise security and remote management software that you're required to deploy just seems to suck up more and more resources every year. Unless you're lucky enough to work in an industry where that sort of thing isn't needed...
But even if you forget the software side, most office workers don't take great care of their devices. Even a solid ThinkPad will often have bits falling off it after that amount of time.
Can't agree, honestly. Someone in sales might have dropped their laptop a few times, but outside of coffee spillages (thinkpads had a drain hole), they're not in bad shape. I've bought (via donation to charity) used work macbooks and they're were in great shape. Battery life is the main wear item.
As to bloat and performance, the standard amount of RAM in a laptop has barely budged in over 10 years. In 2012, a typical consumer laptop might have had 8G RAM and the higher end models 16G RAM.
In 2023, a quick search shows basic home laptops still for sale with 4G RAM, and typical consumer laptops around the $1000 price mark come with 16G RAM as standard.
CPU performance has increased a bit in that time, but not by a whole lot, especially single-threaded. An old laptop might be a bit slow, but it's usually RAM and operating system support which makes it obsolescent. Apps and web pages either fit in memory or they don't; the OS you're running either supports the latest app / browser (and thus web pages) or it doesn't.
> Now why don't these companies keep the drives in-house instead of destroying? That, I don't know.
Keep them and do what with them? If you're an enterprise running many disks, you're generally replacing them with higher capacity disks and the old disks are less useful. Or maybe you have some policy on retiring drives based on age or ssd wear. Or maybe you eliminated a storage tier for whatever reason.
I worked for a DoD contractor, and we were guilty of sending boxes of SSD's to the shredders. These were in old desktops/laptops.
If we had to replace a drive in a computer (or upgrade it from a HDD to SSD), we had to purchase a new drive. We were not allowed to re-use a drive. However, we could re-issue an entire computer to another user.
Makes zero sense, but that's what the compliance industry came up with. It's a money-making deal for everyone involved, except the companies that need to comply with it.
My friend once worked at a place where the security policy was that every part of the PC including monitors was crushed and shredded. This was a financial services company, but nevertheless totally over the top.
Electronic devices keep state in all sorts of strange ways nowadays. If you have the money, the safest strategy is to shred everything rather than having to do a ton of research figuring out whether a given device needs it.
For example, lots of people don't realise how many printers are vulnerable to recovering previously printed documents. In the past, you might have just opened it up and ripped out the hard disk and memory, but nowadays with NAND and DRAM being soldered onto motherboards, do you really trust that's enough?
I recently had a Dell monitor spaz out. Even powered off and powered back on, it was somehow keeping a (corrupted) image of what it had shown when last plugged in to my laptop. It's unclear how that's possible, but others witnessed it.
Had this been during something sensitive being displayed, it might warrant shredding that particular monitor. I have no idea how long the phantom image would have lasted. An hour, a day, a year?
> I recently had a Dell monitor spaz out. Even powered off and powered back on, it was somehow keeping a (corrupted) image of what it had shown when last plugged in to my laptop. It's unclear how that's possible, but others witnessed it.
Stored in the monitor control board somewhere.
Especially in the VRR era, monitors need to buffer the image in case it needs to be redrawn, or if the transfer rate is faster than the draw rate. Which will be anytime the monitor isn't drawing at max VRR sync speed.
In finance-tech and that's the way it is for us. I once embarked on a hopeless journey to get some old laptops piled up in the IT space, for an elementary school programming club. They would not sell or donate them despite them being perfectly useful laptops, even with the drives removed. I suppose they were worried about RAM? Anyway they got ground up into landfill I guess...
There is a lot of NVRAMs in devices these days that could store potential secrets. Even things like wireless cars and internal USB devices. Another good example of this is laptops, such as Apple laptops with the SSD soldered on board.
You can either make hundreds of policies that discover where all this data is, or you make one policy that destroys everything.
So can a cat.
Is the solution, then, to crush them all, treating an imperceptible risk as a certainty?
Let's also treat all suspects as guilty until proven innocent to address even more risk! /s
We recently had to destroy over 700 harddisks (10TB) because the customer didn't trust that a secure erase and full overwrite ways enough to make sure no data could be recovered.
I was looking at cleaning up some of my old drive, and I was basing my decisions on outdated information. At some point in the past it used to be necessary to do many overwrites to truly erase the data, and I was just stuck on that. Took me a bunch of research on modern drives and latest best practices before I was able to convince myself what I "knew" was no longer valid, and things have changed.
I imagine that is where a lot of folks are at on this. Basically: It used to be possible, so maybe it still is. Not worth the risk, lets just go with the old best practices to be safe.
> At some point in the past it used to be necessary to do many overwrites
Even that has almost always been just a cargo cult. Some people (mainly from the hacker community) claimed that US government agencies can still read data from harddrives that have been erased. It has never been proven by any independent data recovery company.
It might have been somewhat true for MFM or RLL drives (these were before my time in IT), but at least since IDE drives, it was no longer true. However, the cult around "multiple erase cycles" still held, mainly because of companies like Norton etc. who sold snakeoil tools to "securely" erase your data
They were a provider for other customers with high security requirements (this is Europe, so the GDPR is very much in effect here) and they apparently had contracts with those customers that the drives were not to be re-introduced into the market in any way.
IMO, the problem is that people have to worry about individual blame and consequences for not being risk-averse enough, but not for being too risk-averse.
I find it strange how preachy a part of HN can get about less CO2 emissions and being eco-friendly but then unequivocally support en extremely eco-unfriendly initiative like physically destroying usable storage devices.
If you have principles, this is your litmus test. Show everyone that your principles hold even when there's a risk for you (and that risk is only perceived IMO, and not real if you have good procedures in place; and if you don't have those then you are at risk of many other problems).
Personally I don't find it that hard to have a designated "hard drive exit area" where 1-2 guys' job is basically plugging in HDDs and running `shred` on them (which overwrites them with random data in several passes) all day long.
You can have principles you desire to follow but still legally have to follow NIST 800-88. Can even add feedback to future iterations of the publication and attempt to get it changed in the future. Doesn't change the current requirement though.
And running a "shred" with multiple passes requires hardware and electricity to run, which needs to be maintained and scaled to such a level that the process could be done within a reasonable timeframe. Large drives these days could take multiple days each to run plus verification time. And now scale that to thousands of drives. That's a lot of additional hardware and electricity. Where recycling the shredded drive feels more eco friendly. But don't have any actual numbers to support that. Would definitely be interested in actual numbers and how things would play out big picture.
> "They have a zero-risk policy. It can't be one in a million drives, one in 10 million drives, one in 100 million drives that leaks. It has to be zero."
At some point human error will kick in, a firmware bug will prevent a complete override of the disk, or some new technology will be able to detect overridden data.
So measure the risk probability and show it to me?
There are multiple ways to shred. When you get drives from the bank, they have a semi down in the parking lot doing it on site. Other companies tag each device then document each one getting tossed in the shredder. If one of these devices shows back up after destruction then there is going to be some legal hell to pay.
It's nearly impossible to tell if a disk has been erased by looking at it from the outside. But a shredded device, well that's easy enough.
How risky is it to just encrypt disks or filesystems, storing the key in tpms or secure enclaves and then just discarding the key instead of actually deleting the data?
It's a lot easier to verify the process. It's a lot easier to check that all the drives leaving the building are physically destroyed, than it is to verify that they contain no sensitive data.
a little off topic but the mob has been operating this way for years when it comes to risk management... dead men don't talk, no matter how trustworthy the individual might be, it's easier to put a bullet in someones head and be done with it, than to worry about what could happen later.
For that to work you have to trust the firmware. Overwriting with something random, saving what was fed and then cross-referencing that against the storage could work better, but there's still some non-zero chance that something you're looking for is in a buffer, unreachable part of the disk or the like.
Encrypting the hard drive and then removing the key has a better chance of rendering the data unusable.
But you can't see from the outside if the drive was wiped. How can I be sure that I do not mix up the to-be-wiped and the wiped drives with 99.999% accuracy? That I did not unplug the drive before the whipping was finished? It's much easier with physical destruction.
/dev/urandom is far better option. One problem is that writing a full drive of data can take long time vs chucking it into shredder. For example this[1] 22TB drive can do 260MB/s, meaning that doing one full disk write pass would take almost 24h.
In the olden days hard disks wrote data on spinning platters the size of dinner plates with heads the size of Sharpie markers, and the controllers were a Z80 microprocessor on a card with a few kB of ROM and maybe as much as 16kB of RAM.
Everything past those days though, the data is very thoroughly scrambled for spectral whitening before being written to disk so there's no practical difference between /dev/urandom and /dev/zero.
For an actual HDD, maybe that would work. For any solid state drive, it would definitely not work. SSDs and similar spread writes across pools of blocks for 'endurance', so a 1TB drive might actually have 2TB worth of flash on it.
A read/write head does not follow precisely the same path every time. It has a positioning error that makes subsequent reads/writes take place slightly offset from earlier ones.
With the proper equipment and expertise (and helped out by the error correction mechanisms), you can recover a substantial amount of data that has been "overwritten" on an existing track.
This is why "data shredding" applications erase the old data by overwriting it with random data multiple times. That increases the chances that one of those writes will also write over any older data that was shifted slightly to the side.
But that's no guarantee. This problem is why organizations that need an extreme level of security require the complete physical destruction of the platters when decommissioning.
While the second one relies on active attack hiding data for exfiltration, first poses statistically possible scenario where a sector containing sensitive data like password or part of mbox with "We are operating a fucking unlicensed securities exchange in the USA bro" becomes weak read (still fully completed, but slow) and gets remapped. Anyone with PC-3000 can recover this data.
There hasn't been a single public demonstration of this on a hard drive made after the 90s, nor any credible reports of private ones. So I wonder what your assertion is based on.
Falsehoods like this spreading through populations that consider themselves technically literate is one reason the NIST standard requires absolute destruction.
There are methods available that will allow recovery of second, third or even fourth generation data to be recovered from magnetic disks. Writing /dev/zero "over" an SSD won't necessarily accomplish what you expect either.
There is no way to recover it. If you know anything about how hard disks work, you'll see why.
There's this theoretical idea that you can get a kind of "latent image" of a mark or a space on the platter even if it's been overwritten, but hard disks haven't written things as literal north-to-south or south-to-north flips for 30 years or so. The data is written as changes of level and phase in a signal, and it's thoroughly scrambled to reduce the chances of a long run of patterns of all zeroes or all ones making the signal hard to recover.
Essentially, you'd be taking a list of floating point numbers, multiplying them all by another much smaller floating point number, adding on another floating point number, and trying to imagine what the original was.
It's not possible.
No, the NSA does not have a big magic machine that does it.
The wastage is shocking. Given the huge demand for (and sometimes shortage of) materials (as well as the time, money, and resources involved in creating them) there should be an established and secure process that is security/compliance approved and would allow for acceptable recycling of these hard drives.
They aren't just destroying hard drives. Companies are destroying iPhones too instead of reselling them. I know of at least one major tech company that is destroying several thousand old iPhones instead of letting my iOS automation company buy them from them.
> By comparison a cryptographic erase takes just a couple of seconds.
Wasn't there an in-depth analysis a while back of (drive) vendor provided encryption, with the end result being that they were pretty shitty implementation that shouldn't be trusted?
This is nothing new. I think I remember seeing an ad for unbelievable cheap 330 MB ESDI drives in Computer Shopper in the early 1990's. But when I called they said they had to shred them instead of selling them.
The thing I find bizarre about all of this is that 99.99% of the data people think is super important would only be interesting to a few very specific parties.
If you format a hard drive, and sell it on eBay through a generic username, then the person who buys that is not going to do some sort of FBI style forensics on the disk.
It would be like going through every single bin on every high street on the off chance that you happen across some celebrities' bank statements.
You don't need FBI style forensics, you just plug in a drive and there are the files, if the drive hasn't been erased.
Are you really OK with things like your bank account information or health records information or your e-mail history showing up on some rando's hard drive they bought from eBay, because it originally came from a cloud provider?
Exactly, 99.999% accuracy (wrt. to zeroing HDDs) is not enough. And the stop-gap measure for the remaining 0.001% is to have a policy that mandates shredding HDDs.
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=91793...