Surprised it doesn't mention compliance frameworks as a culprit. NIST 800-88 calls for destruction if the data is highly sensitive and the drive is leaving the organization. Wrt risk management, it's not worth deviating from NIST.
I faced this same problem. My company policy required destruction of data before drives can leave the colo. I even had a hydraulic drive crusher in the cage to crush failed drives.
However. The Linux utility shred can do a multi-pass random rewrite followed by zeros. (That last is critical for the next step)
Then to verify, grab a random block and sum the data. If it’s not zero you crush the disk.
Bake that script into a NetBoot image, wipe the boot drive’s boot blocks and reboot.
I decommissioned about $5M worth of servers while preserving the disks. This preserved the hardware for reuse.
If you want to be sure send a random selection of the wiped drives to your data recovery team. They won’t be able to get anything back.
I've heard from someone with a security clearance the DoD doesn't have an established and approved protocol for destruction, so in the meantime the drives are simply warehoused.
> The irony is that shredding devices is relatively risky today. The latest drives have 500,000 tracks of data per square inch. A sophisticated data recovery person could take a piece as small as 3mm and read the data off it, Mr Hands says.
I call bullshit on this, unless you can show me a single example of this ever happening anywhere.
Don't forget that sensitive data is encrypted. The only thing harder than breaking bitlocker on a hard drive is breaking bitlocker on a random 0.5% chunk of hard drive unaligned with the r/w tracks.
Not in normal circumstances, but maybe in high profile ones. I imagine they would have tried to do something if they found, for example, hard drive fragments that Snowden possessed. If not for real purposes, perhaps to demonstrate they tried everything.
Plus, wouldn’t you expect paranoid orgs to overwrite with zeros/random or crypto-shred the data before physically shredding the device?
It does seem far fetched that someone would go to the trouble of putting a 3mm chunk of platter on a testbed only to most likely recover something that may as well be random noise.
There have been multiple challenges on hard drives with substantial reward offered for anyone able to take a basic formatted drive with a few MB of files that were overwritten with 0s and recovering the files. Not once did any company accept the challenge let alone complete it. Every data recovery company would tell you that is not possible.
Today we have secure erase which is necessary to clear SSDs and I doubt there is any actual technology to recover from thia mechanism. A lot of hysteria has been shown around drive clearing in the standards and until the standards reflect the reality of what is really possible and what is really sufficient I can not see companies changing.
Secure erase works well. Every other process we have around it has too much room for human error to creep in. From misconfigured drive encryption to a hdd making it to the erased pile without being erased.
Just shred it. You can't mistake a shredded drive for a non shredded drive. The margin for human error is much smaller.
> Today we have secure erase which is necessary to clear SSDs and I doubt there is any actual technology to recover from thia mechanism.
You might doubt it, but you also cannot provide much evidence against it. Trim commands just tell the controller to erase data – what they actually do internally isn't easy to discover without a major operation and internal knowledge.
The best bet is not trusting the drives at all, perhaps by storing only encrypted data, then throwing away the key.
1. Nuke the key and an encrypted drive is indistinguishable from noise.
1a. When SAN sizes get STUPIDLY LARGE, miltiple writes are cost and energy prohibitive, crushing is cheap, cert revocation is cheaper and leaves a device with residual value.
2. In the datacenter, data at rest is not a target, the attack happens higher up the stack where the OS/SQL/App can read the data
3. Areal density is such that a drive in a RAID array doesn't have much to offer up*
(* = I'm willing to lose #3 if #1 is utilized.)
But there's always some mouthbreather n00b or auditor or person that took a forensics class once that stands in the way.
>"You don't need an engineering degree to understand that's a bad thing," says Jonmichael Hands.
Someone without an engineering degree will say it's a bad thing because it seems like pointless waste. Someone with an engineering degree will tell you of reasons why it should be done.
Last year Morgan Stanley got rid of old computers without wiping them, they were auctioned by the moving company, and it ended up costing Morgan Stanley $35 million in fines.
This article mentions disposing of hard drives that have reached their five-year mark and are no longer under warranty.
Does anybody actually want hard drives this old? Isn't the whole point that the risk of failure and therefore data loss is too high by this point? Even if you're using them to store data redundantly, you're running the risk that when one drive fails, the backup will also encounter failure due to the stress of reading its entire contents at once in the attempt to create a new backup.
Cryptographic encryption is safe for as long as your crypto is secure.
For any company dealing with sensitive data, relaying on it to resell seems like a horrible idea. It’s not hard to imagine sufficiently motivated attacker (likely state sponsored) just buying up drives and waiting few years for when they can easily break the encryption.
> just buying up drives and waiting few years for when they can easily break the encryption.
"Few years" ... "easily" ... yeah, nope.
I'm pretty sure that even 15 year old luks/truecrypt/bitlocker setups are not "easy" to break today, and have very little reason to suspect that current day cryptosystems would be any more likely to get broken in "few years"
From a risk management perspective, most storage devices have a "table stakes" requirement to "not lose data". Performance, storage duration, reliability, etc, etc, etc, etc, are all secondary to "do not lose data". You're dead in the water if you lose data. Everything beyond "don't lose data" can and is proprietary implementations of read/write; often with tricks being used to increase speed.
While it's challenging (if not impossible) to recover data from most "blanked out" drives, there is often no guarantee that a blanking process actually renders the underlying data unusable. For example, I believe many SSDs will simply mark a block as "unused" rather than physically rewriting the data in that block. When the block gets used again, you simply set it to the new values.
Whether it's practical, right now, to recover data really doesn't matter. These drives are leaving an organization forever. You will have absolutely no control over them. If a technique comes out to recover data from them, you cannot risk having drives floating around that are now recoverable.
> For example, I believe many SSDs will simply mark a block as "unused" rather than physically rewriting the data in that block. When the block gets used again, you simply set it to the new values.
Most SSDs (everything that follows the OPAL standard) actually encrypt all data all the time, and support a "secure erase" mode that destroys the encryption key from the TPM and renders the data inert. Copy the flash chips to your heart's content, if you believe the premise of encryption then it'll be a couple million years before you have any chance of cracking the key.
There's no reason this can't also be used on hard drives - or via a higher-level solution like Bitlocker. Again, if you believe in the idea of Bitlocker, then if you lose (or destroy) the key the data is unusable, that's the entire sales pitch of Bitlocker. Drive data is completely inaccessible if removed from their PC and the TPM it contains, and people don't like this because Windows 11 is turning this on by default now.
Physically crushing a drive is needless and wasteful unless you fundamentally disagree that cryptography exists and can work. And it also completely eliminates the possibility that your e-waste vendor is screwing you around behind your back. Fine, have a bunch of white-noise data if you like.
The problem is that businesses like to reduce a 1-in-a-trillion chance to zero, and they're punished if something does happen. And I'm sure hard drive companies like the extra sales and probably nudge them into it too. But it's overall a market failure and a needless e-waste stream, of the kind that the EU does like to eliminate.
Now why don't these companies keep the drives in-house instead of destroying? That, I don't know.
But aside that, regarding the encryption... If you used the drive without encryption at any time, then its possible to recover the unencrypted data. You'd need to guarantee that your drives were *always* used with encryption from the start to end. And that's a hard guarantee.
So yeah, if they were leaving the org, I'd destroy them too.
I don’t think that’s how it works. With these drives the AES encryption is always being done by dedicated hardware on the drive, but by default the key is just a random value stored in NVRAM.
When you do a “secure erase”, the drive will internally regenerate a new key and overwrite it in its NVRAM. Crucially, the algorithm must be securely random and the old key must be reliably overwritten. But if those conditions are met - presto! Everything on the drive that was written with the old key is now unreadable and entirely unrecoverable.
If you actually want to “lock” the drive, the key would be generated by a KDF from the password, the one saved in NVRAM would not be used.
It’s more complicated than that, if you want to support enabling a password without wiping the drive. That would involve encrypting/decrypting a stored key with the password. But either way you can definitely secure erase a modern unlocked drive, if you trust the implementation!
Ah, you have never been on the IT side of any shop have you? The risks to keep running said hardware, or performance, or storage space, or power consumption or whatever are too high so you aren't going to be using it. So you decom it and do what, stick it in a closet?
Decommissioned hardware that is put in storage inevitably walks home with an enterprising employee to whom the risks from the business perspective are simply not a factor.
> Now why don't these companies keep the drives in-house instead of destroying? That, I don't know.
Keep them and do what with them? If you're an enterprise running many disks, you're generally replacing them with higher capacity disks and the old disks are less useful. Or maybe you have some policy on retiring drives based on age or ssd wear. Or maybe you eliminated a storage tier for whatever reason.
My friend once worked at a place where the security policy was that every part of the PC including monitors was crushed and shredded. This was a financial services company, but nevertheless totally over the top.
Electronic devices keep state in all sorts of strange ways nowadays. If you have the money, the safest strategy is to shred everything rather than having to do a ton of research figuring out whether a given device needs it.
For example, lots of people don't realise how many printers are vulnerable to recovering previously printed documents. In the past, you might have just opened it up and ripped out the hard disk and memory, but nowadays with NAND and DRAM being soldered onto motherboards, do you really trust that's enough?
I recently had a Dell monitor spaz out. Even powered off and powered back on, it was somehow keeping a (corrupted) image of what it had shown when last plugged in to my laptop. It's unclear how that's possible, but others witnessed it.
Had this been during something sensitive being displayed, it might warrant shredding that particular monitor. I have no idea how long the phantom image would have lasted. An hour, a day, a year?
In finance-tech and that's the way it is for us. I once embarked on a hopeless journey to get some old laptops piled up in the IT space, for an elementary school programming club. They would not sell or donate them despite them being perfectly useful laptops, even with the drives removed. I suppose they were worried about RAM? Anyway they got ground up into landfill I guess...
We recently had to destroy over 700 harddisks (10TB) because the customer didn't trust that a secure erase and full overwrite ways enough to make sure no data could be recovered.
I was looking at cleaning up some of my old drive, and I was basing my decisions on outdated information. At some point in the past it used to be necessary to do many overwrites to truly erase the data, and I was just stuck on that. Took me a bunch of research on modern drives and latest best practices before I was able to convince myself what I "knew" was no longer valid, and things have changed.
I imagine that is where a lot of folks are at on this. Basically: It used to be possible, so maybe it still is. Not worth the risk, lets just go with the old best practices to be safe.
IMO, the problem is that people have to worry about individual blame and consequences for not being risk-averse enough, but not for being too risk-averse.
I find it strange how preachy a part of HN can get about less CO2 emissions and being eco-friendly but then unequivocally support en extremely eco-unfriendly initiative like physically destroying usable storage devices.
If you have principles, this is your litmus test. Show everyone that your principles hold even when there's a risk for you (and that risk is only perceived IMO, and not real if you have good procedures in place; and if you don't have those then you are at risk of many other problems).
Personally I don't find it that hard to have a designated "hard drive exit area" where 1-2 guys' job is basically plugging in HDDs and running `shred` on them (which overwrites them with random data in several passes) all day long.
You can have principles you desire to follow but still legally have to follow NIST 800-88. Can even add feedback to future iterations of the publication and attempt to get it changed in the future. Doesn't change the current requirement though.
And running a "shred" with multiple passes requires hardware and electricity to run, which needs to be maintained and scaled to such a level that the process could be done within a reasonable timeframe. Large drives these days could take multiple days each to run plus verification time. And now scale that to thousands of drives. That's a lot of additional hardware and electricity. Where recycling the shredded drive feels more eco friendly. But don't have any actual numbers to support that. Would definitely be interested in actual numbers and how things would play out big picture.
> "They have a zero-risk policy. It can't be one in a million drives, one in 10 million drives, one in 100 million drives that leaks. It has to be zero."
At some point human error will kick in, a firmware bug will prevent a complete override of the disk, or some new technology will be able to detect overridden data.
How risky is it to just encrypt disks or filesystems, storing the key in tpms or secure enclaves and then just discarding the key instead of actually deleting the data?
It's a lot easier to verify the process. It's a lot easier to check that all the drives leaving the building are physically destroyed, than it is to verify that they contain no sensitive data.
The wastage is shocking. Given the huge demand for (and sometimes shortage of) materials (as well as the time, money, and resources involved in creating them) there should be an established and secure process that is security/compliance approved and would allow for acceptable recycling of these hard drives.
[+] [-] thedougd|2 years ago|reply
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=91793...
[+] [-] more_corn|2 years ago|reply
However. The Linux utility shred can do a multi-pass random rewrite followed by zeros. (That last is critical for the next step) Then to verify, grab a random block and sum the data. If it’s not zero you crush the disk.
Bake that script into a NetBoot image, wipe the boot drive’s boot blocks and reboot.
I decommissioned about $5M worth of servers while preserving the disks. This preserved the hardware for reuse.
If you want to be sure send a random selection of the wiped drives to your data recovery team. They won’t be able to get anything back.
[+] [-] gumby|2 years ago|reply
This isn't a sarcastic remark: I think a lot of human activity can be explained this way.
[+] [-] fmajid|2 years ago|reply
[+] [-] NotYourLawyer|2 years ago|reply
I call bullshit on this, unless you can show me a single example of this ever happening anywhere.
[+] [-] kryogen1c|2 years ago|reply
Bullshit is too weak a word.
[+] [-] tyingq|2 years ago|reply
[+] [-] jl6|2 years ago|reply
It does seem far fetched that someone would go to the trouble of putting a 3mm chunk of platter on a testbed only to most likely recover something that may as well be random noise.
[+] [-] hospitalJail|2 years ago|reply
Real world and lab conditions are different.
Given how high stakes somethings can be, nothing would surprise me.
[+] [-] EMCymatics|2 years ago|reply
[+] [-] PaulKeeble|2 years ago|reply
Today we have secure erase which is necessary to clear SSDs and I doubt there is any actual technology to recover from thia mechanism. A lot of hysteria has been shown around drive clearing in the standards and until the standards reflect the reality of what is really possible and what is really sufficient I can not see companies changing.
[+] [-] hospitalJail|2 years ago|reply
Do remember that winning award is significantly less profitable than selling your secrets to the military.
NSO Group makes more money hacking iphones, than they make on bug bounties.
(but also I agree with you on the formatting our drives)
[+] [-] AnotherGoodName|2 years ago|reply
Just shred it. You can't mistake a shredded drive for a non shredded drive. The margin for human error is much smaller.
[+] [-] akvadrako|2 years ago|reply
You might doubt it, but you also cannot provide much evidence against it. Trim commands just tell the controller to erase data – what they actually do internally isn't easy to discover without a major operation and internal knowledge.
The best bet is not trusting the drives at all, perhaps by storing only encrypted data, then throwing away the key.
[+] [-] hospitalJail|2 years ago|reply
Do remember that winning award is significantly less profitable than selling your secrets to the military.
NSO Group makes more money hacking iphones, than they make on bug bounties.
[+] [-] Damogran6|2 years ago|reply
1. Nuke the key and an encrypted drive is indistinguishable from noise. 1a. When SAN sizes get STUPIDLY LARGE, miltiple writes are cost and energy prohibitive, crushing is cheap, cert revocation is cheaper and leaves a device with residual value. 2. In the datacenter, data at rest is not a target, the attack happens higher up the stack where the OS/SQL/App can read the data 3. Areal density is such that a drive in a RAID array doesn't have much to offer up*
(* = I'm willing to lose #3 if #1 is utilized.)
But there's always some mouthbreather n00b or auditor or person that took a forensics class once that stands in the way.
[+] [-] deepsun|2 years ago|reply
[+] [-] veave|2 years ago|reply
Someone without an engineering degree will say it's a bad thing because it seems like pointless waste. Someone with an engineering degree will tell you of reasons why it should be done.
[+] [-] gregw134|2 years ago|reply
https://www.bloomberg.com/opinion/articles/2022-09-20/morgan...
Last year Morgan Stanley got rid of old computers without wiping them, they were auctioned by the moving company, and it ended up costing Morgan Stanley $35 million in fines.
[+] [-] gumby|2 years ago|reply
[+] [-] crazygringo|2 years ago|reply
Does anybody actually want hard drives this old? Isn't the whole point that the risk of failure and therefore data loss is too high by this point? Even if you're using them to store data redundantly, you're running the risk that when one drive fails, the backup will also encounter failure due to the stress of reading its entire contents at once in the attempt to create a new backup.
[+] [-] justapassenger|2 years ago|reply
For any company dealing with sensitive data, relaying on it to resell seems like a horrible idea. It’s not hard to imagine sufficiently motivated attacker (likely state sponsored) just buying up drives and waiting few years for when they can easily break the encryption.
[+] [-] zokier|2 years ago|reply
"Few years" ... "easily" ... yeah, nope.
I'm pretty sure that even 15 year old luks/truecrypt/bitlocker setups are not "easy" to break today, and have very little reason to suspect that current day cryptosystems would be any more likely to get broken in "few years"
[+] [-] SkyPuncher|2 years ago|reply
While it's challenging (if not impossible) to recover data from most "blanked out" drives, there is often no guarantee that a blanking process actually renders the underlying data unusable. For example, I believe many SSDs will simply mark a block as "unused" rather than physically rewriting the data in that block. When the block gets used again, you simply set it to the new values.
Whether it's practical, right now, to recover data really doesn't matter. These drives are leaving an organization forever. You will have absolutely no control over them. If a technique comes out to recover data from them, you cannot risk having drives floating around that are now recoverable.
[+] [-] paulmd|2 years ago|reply
Most SSDs (everything that follows the OPAL standard) actually encrypt all data all the time, and support a "secure erase" mode that destroys the encryption key from the TPM and renders the data inert. Copy the flash chips to your heart's content, if you believe the premise of encryption then it'll be a couple million years before you have any chance of cracking the key.
There's no reason this can't also be used on hard drives - or via a higher-level solution like Bitlocker. Again, if you believe in the idea of Bitlocker, then if you lose (or destroy) the key the data is unusable, that's the entire sales pitch of Bitlocker. Drive data is completely inaccessible if removed from their PC and the TPM it contains, and people don't like this because Windows 11 is turning this on by default now.
Physically crushing a drive is needless and wasteful unless you fundamentally disagree that cryptography exists and can work. And it also completely eliminates the possibility that your e-waste vendor is screwing you around behind your back. Fine, have a bunch of white-noise data if you like.
The problem is that businesses like to reduce a 1-in-a-trillion chance to zero, and they're punished if something does happen. And I'm sure hard drive companies like the extra sales and probably nudge them into it too. But it's overall a market failure and a needless e-waste stream, of the kind that the EU does like to eliminate.
[+] [-] pierat|2 years ago|reply
But aside that, regarding the encryption... If you used the drive without encryption at any time, then its possible to recover the unencrypted data. You'd need to guarantee that your drives were *always* used with encryption from the start to end. And that's a hard guarantee.
So yeah, if they were leaving the org, I'd destroy them too.
[+] [-] zaroth|2 years ago|reply
When you do a “secure erase”, the drive will internally regenerate a new key and overwrite it in its NVRAM. Crucially, the algorithm must be securely random and the old key must be reliably overwritten. But if those conditions are met - presto! Everything on the drive that was written with the old key is now unreadable and entirely unrecoverable.
If you actually want to “lock” the drive, the key would be generated by a KDF from the password, the one saved in NVRAM would not be used.
It’s more complicated than that, if you want to support enabling a password without wiping the drive. That would involve encrypting/decrypting a stored key with the password. But either way you can definitely secure erase a modern unlocked drive, if you trust the implementation!
[+] [-] slackfan|2 years ago|reply
Decommissioned hardware that is put in storage inevitably walks home with an enterprising employee to whom the risks from the business perspective are simply not a factor.
[+] [-] toast0|2 years ago|reply
Keep them and do what with them? If you're an enterprise running many disks, you're generally replacing them with higher capacity disks and the old disks are less useful. Or maybe you have some policy on retiring drives based on age or ssd wear. Or maybe you eliminated a storage tier for whatever reason.
[+] [-] rwmj|2 years ago|reply
[+] [-] cameronh90|2 years ago|reply
For example, lots of people don't realise how many printers are vulnerable to recovering previously printed documents. In the past, you might have just opened it up and ripped out the hard disk and memory, but nowadays with NAND and DRAM being soldered onto motherboards, do you really trust that's enough?
[+] [-] NoMoreNicksLeft|2 years ago|reply
Had this been during something sensitive being displayed, it might warrant shredding that particular monitor. I have no idea how long the phantom image would have lasted. An hour, a day, a year?
[+] [-] tfandango|2 years ago|reply
[+] [-] EMCymatics|2 years ago|reply
[+] [-] dark-star|2 years ago|reply
It was really painful to watch....
[+] [-] Bedon292|2 years ago|reply
I imagine that is where a lot of folks are at on this. Basically: It used to be possible, so maybe it still is. Not worth the risk, lets just go with the old best practices to be safe.
[+] [-] WirelessGigabit|2 years ago|reply
I guess I would have trust issues with the services the customer offered.
[+] [-] josephcsible|2 years ago|reply
[+] [-] pdimitar|2 years ago|reply
If you have principles, this is your litmus test. Show everyone that your principles hold even when there's a risk for you (and that risk is only perceived IMO, and not real if you have good procedures in place; and if you don't have those then you are at risk of many other problems).
Personally I don't find it that hard to have a designated "hard drive exit area" where 1-2 guys' job is basically plugging in HDDs and running `shred` on them (which overwrites them with random data in several passes) all day long.
[+] [-] JumpCrisscross|2 years ago|reply
Principles are often in conflict. There are multiple reasonable solutions to this problem.
[+] [-] Bedon292|2 years ago|reply
And running a "shred" with multiple passes requires hardware and electricity to run, which needs to be maintained and scaled to such a level that the process could be done within a reasonable timeframe. Large drives these days could take multiple days each to run plus verification time. And now scale that to thousands of drives. That's a lot of additional hardware and electricity. Where recycling the shredded drive feels more eco friendly. But don't have any actual numbers to support that. Would definitely be interested in actual numbers and how things would play out big picture.
[+] [-] V__|2 years ago|reply
At some point human error will kick in, a firmware bug will prevent a complete override of the disk, or some new technology will be able to detect overridden data.
[+] [-] Kab1r|2 years ago|reply
[+] [-] lostmsu|2 years ago|reply
I've only seen their refurbished HDDs.
[+] [-] al2o3cr|2 years ago|reply
He's not... HORSING AROUND
[+] [-] rasz|2 years ago|reply
[+] [-] ReactiveJelly|2 years ago|reply
[+] [-] HPsquared|2 years ago|reply
[+] [-] Gordonjcp|2 years ago|reply
[+] [-] 3littlefish|2 years ago|reply