Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Privacy Your Rights Online

Why 'rm -R star' Isn't Enough 396

Posted by timothy from the clear-your-cache dept.
zdburke writes: "Short but interesting article in the New York Times (free reg req'd) about how difficult it is to cover your digital tracks because electronic documents are so well distributed -- on your lap top, on your workstation, on the server... Yes there are tools to thoroughly delete files on your computer, rather than just unlinking them when they're put in the trash, but it's the distributed nature of content these days that poses a special problem to the Ollie North's of the world."
This discussion has been archived. No new comments can be posted.

Why 'rm -R star' Isn't Enough More

Why 'rm -R star' Isn't Enough

Comments Filter:

  • Not a problem... (Score:5, Funny)

    by Sabalon ( 1684 ) on Monday January 14, 2002 @09:33AM (#2835779)
    On my harddrive space challenged machine, usually the reason I delete something is to make room for something else. So, chances are if they want "super-secret-MS-secrets.txt", the sectors have already been overwritten by "bspears-nude.jpg"

    :)

    • Re:Not a problem... (Score:2, Informative)

      by tkrabec ( 84267 )
      Depending on the level of "security" you are looking for overwriting a file is not good enough. With proper analysis files can be recovered when they have been over written several times. This is expensive and time consuming, but it can be done.

      -- Tim

      • Re:Not a problem... (Score:3, Interesting)

        by Anonymous Coward
        agreed. did you know, if you start with a blank disk, there is nothing there. If you write it to 10101010101... and then to 11111111..., you can tell which one used to have a one under it and which one had a zero. In fact, it's been postulated that if you had a very high-resolution scan of the media (not even anywhere near atomic level is necessary), you could piece together every read and write that had ever occured on it, together with the order, and possibly also (roughly) the timing. (Since the extent to which an area is magnetic fades over time.

        The answer, of course, remains not "several passes from dev/random" but rather, several swipes past a BFM.

    • Don't just delete (Score:3, Informative)

      by einhverfr ( 238914 )
      dd if=/dev/zero of=/dev/hda works for me ;)

      Repeate 4 or 5 times, and good luch recovering anything...

  • Mirrors (Score:4, Insightful)

    by alsta ( 9424 ) on Monday January 14, 2002 @09:35AM (#2835785)
    If you're afraid that mirrors will copy your files, why don't you just overwrite the file with the same name, just some bogus data. That file will be mirrored again since it has a new date.

    Sometimes when a problem gets high tech, it's time for a low-tech approach.

    • Re:Mirrors (Score:2, Informative)

      by _DMan_ ( 105238 )
      why don't you just overwrite the file with the same name, just some bogus data

      This method does not ensure that any of your data is actually overwritten because the operating system is free to decide where on the disk it locates a file (or portions of it). Even though the filesystems references to that file name are destroyed by this method, the user has no guarantees that the data in the original file is overwritten. This is especially true in the case of remotely mounted filesystems which may not even implement the type of filesystem they appear to (e.g. Samba on Linux looks like it implements a MS filesystem).

      This is the major shortcoming in most of the "secure delete" tools I have looked at.

  • addition (Score:2, Informative)

    by PHanT0 ( 148738 )
    I always like to add the "f" right after that "-R"...

    That good enough for ya? :>

    • Re:addition (Score:2, Informative)

      by transient ( 232842 )
      I always like to add the "f" right after that "-R"...

      The only thing -f does is delete files without asking. That's good for getting rid of large numbers of files, but it won't overwrite any of the data.

      If you're using a BSD box (MacOS X included), you can use -P. On Linux you can use srm [sourceforge.net].

  • Undeleting files on *nix (Score:5, Informative)

    by Sobrique ( 543255 ) on Monday January 14, 2002 @09:37AM (#2835795) Homepage
    It's quite possible to recover files, because, much like PCs nothing actually gets 'deleted'. The inode is marked as 'available for reuse' and removed from the directory entry, but doesn't actually remove anything.
    Looking for an undelete? Take a look at the coroners toolkit [http]. There's even instructions on how to recover files from a unix partition (any unix). It's one of those ones which you'd _really_ need to recover the data because it's hard work and a pain, but it is possible.
    I don't recall seeing and 'write with zeros' program for Unix. I guess there must be some out there, since at a guess it's fairly trivial. (would dding /dev/zero over a file just prior to erasing it work?)
    Of course, there's always disk analysis with an electron microscope, which I've always heard was possible but it's not one I've ever had substantiated.

    • Re:Undeleting files on *nix (Score:4, Informative)

      by Sobrique ( 543255 ) on Monday January 14, 2002 @09:40AM (#2835803) Homepage
      And for those who noticed, I can't type URLs, so here it is again :) http://www.porcupine.org/forensics/tct.html [porcupine.org]
    • Please check your link. Should be coroners toolkit [porcupine.org] [www.porcupine.org]

    • Re:Undeleting files on *nix (Score:5, Informative)

      by Anonymous Coward on Monday January 14, 2002 @09:45AM (#2835828)
      I take it you haven't met shred

      NAME
      shred - delete a file securely, first overwriting it to
      hide its contents

      SYNOPSIS
      shred [OPTIONS] FILE [...]
    • For Everyone's benefit, the link is The Coroner's Toolkit [porcupine.org]
    • As in the article:
      It is possible to take a disk apart and use an electron microscope to read information from the individual magnetic spots on the surface of a disk that may have been intentionally erased, Mr. Patzakis said. Originally a tool of the intelligence world, this technique -- which is costly -- has been used successfully in big legal cases.
      So simply enough, legal cases can force the use of that kind of technique.

      I can recall the nervousness of some folks dropping off their computer at a repair shop, because the machine had failed before they had a chance to destroy their pron collection and they had slightly exotic tastes. Things like that are always usefule to a legal team.

    • Why go that far? Even good old Norton Midnight Commander can do an undelete of the files on Linux.

      It had troubles with the 2.0.x series, where only the first few blocks could be recovered, but as of 2.1.x & upwards, it works like a charm on ext2.

      I'm sure there would be other utilities capable of this for other platforms. There was also this old program for Solaris (whose name I've forgotten) that'd do just what you'd said to restore deleted files.

      • Nitpicking (Score:2, Informative)

        by jawtheshark ( 198669 )
        You shoudn't call it "Norton Midnight Commander". There is a "Norton Commander" (old DOS proggy) and there is " GNU Midnight Commander" [ibiblio.org]" which you could call the Linux clone.

        Norton has nothing to do with Midnight Commander.

    • Re:Undeleting files on *nix (Score:4, Informative)

      by image ( 13487 ) on Monday January 14, 2002 @09:50AM (#2835851) Homepage
      Try using BestCrypt from Jetico [jetico.com] -- it works on Un*x and Windows. This is a great tool for creating a mountable encryted filesystem (just about every algorithm under the sun is supported, including 3DES and Blowfish).

      Also included (which is why this reply is relevant) is the bcwipe utility, which does Department of Defense recommended (5200.28-STD) deletion.

      It isn't "free-as-in-speech" but it does have a "free-as-in-beer" evaluation copy.

      Check out:

      http://freshmeat.net/projects/bestcrypt/ [freshmeat.net]

      and

      http://www.jetico.com/linux.html [jetico.com]

    • Re:Undeleting files on *nix (Score:4, Funny)

      by dunstan ( 97493 ) <dvavasour@i e e . o rg> on Monday January 14, 2002 @10:42AM (#2836024) Homepage
      This is the basis of my favourite party trick - booting a Linux system without a kernel. As LILO works pointing to a disc location (rather than a filetable entry), you can boot a system from a kernel which has been deleted as follows:

      1) Put /boot into its own disc partition (to stop normal filesystem activity reclaiming the disc blocks)
      2) Use lilo etc., to set the machine to boot off a kernel image
      3) rm the kernel file
      4) reboot the machine

      Because nothing in /boot has reclaimed the disc blocks, LILO will still be able to start loading at the the same data location, and will still find disc blocks which constitute a valid kernel. Voila, you've deleted your kernel, but still booted it.

      Obviously, Don't Try this out unless you know what you're doing - and even then try it with a spare kernel, not your only one.

      Dunstan

  • Wrong approach (Score:3, Interesting)

    by Rostoff ( 549205 ) on Monday January 14, 2002 @09:38AM (#2835797)
    Don't try to cover your tracks, delete every little bit of info about you, that's waaay too much time and effort. Want you want to do is put sooo much crap out there, no one can tell the real info from the synthetic.
    Also, it's the internet. Make up shit. The only thing you really can't lie about is online purchases with a credit card (well...), anything else is open territory for your imagination!

  • It's you that controls distribution... (Score:5, Funny)

    by Calle Ballz ( 238584 ) on Monday January 14, 2002 @09:39AM (#2835801) Homepage
    Say you have important information on your hard drive. You only want one other person to see that information so you put that information on a floppy disk then give it to that person. No one else can see this information. You then take a pencil and stab the magnetic film of the floppy about 30 - 40 times. You then take lighter fluid and douse the entire floppy and light it. Stomp on the ashes for extra measure. Since the data has been on your computer. You must first take your hard drive out. Expose it to a giant magnet, then shoot it with a 12 guage (twice). Take all the IC's out of your computer and smash them with a sledgehammer, then run over them with your truck. Burn those with lighter fluid too. Since your monitor most likely displayed that sensitive information, you must take it to a helicopter and drop it. Have the helicopter land on the debris for safe measure.

    Ensure that the other person gives your data to no one. Do a thorough background check on him and his closest 50 living relatives. After he is done processing the information; shoot him.

    No need to worry about any information getting anywhere.

  • Gotta get one of them thar modern computers (Score:4, Funny)

    by Sabalon ( 1684 ) on Monday January 14, 2002 @09:39AM (#2835802)
    That is because modern computers organize information by using file-system directories that point to physical areas on a disk drive where the data resides. "Deleting" the information usually only breaks the link between the directory and the data so that the original storage space can be reused in the future.

    Gee...what a stride. Too bad we didn't have technology like this in the 80's. A company like Norton could have made a killing making tools to relink the file table with these sectors, almost as if they were UNDELETEing the file.

    I just love expressions like "modern computers" used in this way, when the reporter meant to say "Well...this is new to me, must be new to the computer too." Of course, we all know that it is the computer that has this behaviour - not the OS sitting on top of it :)

    IIRC, DOS used to just replace the first character name of a file with a ? in the FAT when you deleted it, so to undelete it, you just supplied a letter to "rename" the file as.
    • IIRC, DOS used to just replace the first character name of a file with a ? in the FAT when you deleted it, so to undelete it, you just supplied a letter to "rename" the file as.

      Er, it also marked the blocks free in the FAT. Putting the first char back lets you read the file, but it won't prevent random blocks from getting overwritten with other data!

      • Thanks for the correction - I knew something didn't sound right - yeah...I have 10M of file on this 20M disk and it says it's full :)

        I do remember the "don't even breath until I run undelete" kinda panics. Sadly, not even undelete will save you when you accidentally open a file for w instead of a or r mode :(
        • I do remember the "don't even breath until I run undelete" kinda panics. Sadly, not even undelete will save you when you accidentally open a file for w instead of a or r mode :(

          Yeah, but FFS-snapshots will (if you make them frequently enough). I expect Linux will get a similar thing sooner or later...

          Hmmm, that reminds me, another delete problem is snapshots on things like the NetApp NFS toaster, and the BSD FFS-snapshot stuff. Not only do you have to wait for the snapshot to go away before a delete happens, you can't overwrite the file in any easy way since the modifyed blocks are saved off.

          The other peoblem with snapshots is if you notice a bad permision and fix it people can still look in the snapshots for quite some time and find the stuff! That could be a real problem for Plan 9 style systems that do one snapshot a day and keep them forever...

  • I personally don't keep anything around on my computer that has any incriminating information. If I did, I'd be damn sure that it's not in a shared space that gets copied onto any server or anything like that. I think any computer savy person already knows that you just don't keep digital records of things you don't want people to find out, and you definitely don't keep them anywhere there's a remote possibility the data could be duplicated. This will probably only jump up and bite the illiterate "business major" types, and I really don't have a problem with that.
    • I think any computer savy person already knows that you just don't keep digital records of things you don't want people to find out, and you definitely don't keep them anywhere there's a remote possibility the data could be duplicated.

      Criminal masterminds are pretty few and far between. Mostly criminals are kinda dim. Plus if people have been caught cheating on their wives/husbands (not illegal as far as I know, but not a stunningly good idea) by looking at their supermarket club records (catching them buying wine or condoms are the wrong shopping market, that were not used with their spouse)...well, I can imagine you could look at their palm desktop app and find a record for their hot date!

    • Re:Does anyone really have a problem with this? (Score:4, Informative)

      by peripatetic_bum ( 211859 ) on Monday January 14, 2002 @09:58AM (#2835869) Homepage Journal
      Actually, the idea that just because you have nothing to hide means that you shouldnt have the ability to hide something is an interesting fallacy.

      Foucalt was a 60's "post-modern" French philospher who studied how systems of control are used to keep a Power in place. One of his most interesting insights was the more you can observe something the more the you can label it, quantify it, and more important the easier it becomes to define a Norm. Once you have a defined a norm, you know have the means to control the subject you were initally just merely observing.

      I think this is a case of being able to keep something from observation, ie keep it away from ouside powers

      anyway, thanks
      • Can you suggest any good Foucalt books? Preferably starting with a 'primer' or 'introduction' sorta thingy?

  • PGP (Score:5, Informative)

    by iGawyn ( 164113 ) on Monday January 14, 2002 @09:40AM (#2835807) Homepage Journal
    If you are concerned enough about your data to want to permanently delete it, or at least keep your tracks covered, you'll use PGP and either wipe your freespace multiple times to completely obscure data, and/or keep your important files encrypted.

    Although encryption is, in theory, breakable, the resources to do so don't exist (unless the NSA has some quantum computers squirreled away somewhere), your files will be safe.

    In short, if you want to keep files private, use PGP, and use it wisely. If you don't make more of an attempt, other than "well, if I tell Windows to delete it, it's gone", to keep files hidden/gone for good, you deserve to have your data recovered.

    Gawyn

    • PGP wipe does a very poor job. (See this link) (Score:5, Interesting)

      by SomethingOrOther ( 521702 ) on Monday January 14, 2002 @10:06AM (#2835897) Homepage

      PGP [pgpi.org] is a brillient tool for encryption (esp. e-mail) and PGP disk [pgpi.org] or Scramdisk [clara.net] are great for secure archiving on windoze machines. However the PGP wipe isn't very good. This link [mccune.cc] explains why and gives good alterantives for windoze users.

      Linux users already have encrypted filesystems and secure file wipeing as standard in all(?) common distro's. (I know that SuSE even lets you overwite the wiped files with zeros to hide its very existance)

    • Re:PGP (Score:3, Insightful)

      by sunking2 ( 521698 )
      You are safe until they start taking a hammer to your toes and fingers. Or cut off and stuff your own ear in your mouth. Or put a gun to your mothers head. While you may be somewhat protected from the government using such tactics, what about if what you had on your computer in someway incriminated the mob, or monsanto, or someone else (ie, you're a reporter or something).

      While its probably a silly movie, its kind of like in the soon to be released Nicholas Cage movie Windtalkers. For those not familiar, in WW2 the US used Navajo Indians to communicate because the Japaneese would never be able to figure out hte language. Nicholas Cage is a marine with orders to protect one of them. He also has orders to kill him rather than be captured. Your encryption is only as safe as your key and through drugs or violence i'm pretty certain just about any key can be extracted from someone.

    • Re:PGP attacks (Score:3, Interesting)

      by CharlieG ( 34950 )
      You said
      Although encryption is, in theory, breakable, the resources to do so don't exist

      While the resources probably don't exist to directly attack PGP, this makes certain assumptions
      • That PGP has no leaks
      • That there have been no mathematical breakthroughs in factoring

      Even if those are true, there are other attacks possible - Most people don't use a sufficient passphrase, so that becomes the easiest attack.
      After that, you have to worry about things like "Magic Lantern" and black bag jobs
      How paranoid do you want to get?
      • After that, you have to worry about things like "Magic Lantern" and black bag jobs
        "Magic Lantern" style keyloggers may be avoidably by opening notepad along side PGP, and switching across and typing in some gibberish or other words, sometimes using a word that contains a letter that is in the password. For instance, if the password contains 'ge', then switch to notepad, type in 'be', then switch back to the password input and type 'g', then switch to notepad, type 'on', then switch back and type the 'e'. Looks like "begone", or "beg one". Try to get the timing right, in case it logs timing as well. Or you could pretend to be typing in some inocuous sentence, occasionally switching across to the password input and typing a letter of the password, then switch back, press backspace, and carry on as if you had just corrected a mis-type. Throw a few in that you don't correct, and a few other corrected typos as well. Dilligent analysis of these 'corrections' may reveal the password if it is a couple of words, though. I suppose this is a form of steg.

  • That's why I own (Score:3, Interesting)

    by hrieke ( 126185 ) on Monday January 14, 2002 @09:41AM (#2835811) Homepage
    A big 'old electromagnet.
    Degauss the disk and it's gone for good.
    Accually, does anyone else remember the movie Blue Thunder?
    The video tape jackets had electromagnets build into them, and thus could delete any tape that the bad guys wanted.[1]

    I wonder when IBM or someone will build a HD with a self delete 'fail safe' system. When the drive powers down without a password, wipe.

    [1] There is some ironny here somewhere folks. Just can't think of a witty remark.

  • Electron Microscope (Score:3, Interesting)

    by GigsVT ( 208848 ) on Monday January 14, 2002 @09:45AM (#2835826) Journal
    It is possible to take a disk apart and use an electron microscope to read information from the individual magnetic spots on the surface of a disk that may have been intentionally erased, Mr. Patzakis said.

    I monitor the forensics list on securityfocus, and there was discussion that this might be mostly a myth.
    • for the most part, you don't even need to take the hard drive apart to do this. I have seen and even once had the oppurtunity to use a forensic computer that had the ability to scan through the hard drive, and determine just about anything that had been deleted, wiped, or over written. It has the hard drive read the magnetic echo left on each sector. The machine is mostly used as evidence against kiddie porn fuckers to prosecute them. I didn't really believe it until I see it... so anything I don't want seen... I shoot it with my 12 guage (repeatedly). Seriously.

    • Re:Electron Microscope (Score:4, Interesting)

      by WNight ( 23683 ) on Monday January 14, 2002 @02:30PM (#2837233) Homepage
      Well, it appears to be somewhat true.

      First, it's difficult. It involves removing the platters from the drive and mounting them in a machine designed to read from that platter density.

      Then, the machine can read from 0 to N generations of older data. This is dependent on the quality of the medium (I guess, better drives are less secure in this fashion) and the repeatability of the data used for overwrites.

      If you overwrite something with all zeros (or ones), it's almost guaranteed to still be there later because all you did was weaken (strengthen) the signal, the variation between two signals with the same current value represents the original value.

      This is why the idea is many secure overwrites. Perhaps all zeros once or twice, but interspersed with "secure" random noise. As soon as they lose track of layer N, they can't get N+1.

      However, the task usually doesn't depend on getting the contents of the whole disk back, usually they can still read the meta data and know what to concentrate on (and if they can't, they know where the meta data sits, so they concentrate on that) and then they go after certain files likely to be the most useful.

      Most common "secure delete" utils use low-grade PRNGs and non-random seeds. If you can figure out the output of these and then deduce the seed, you can figure out the data used for any portion of the overwrite and from that, have a pretty good chance of recovering the data.

      Now, this is what I've heard, from people in the field, so don't take it as gospel. The one thing they all agreed upon though is that this level of analysis is hideously expensive. Not $500 / hour like "normal" data recovery, more like $500k up front and then $5k / hour... It involves cryptanalysis to crack the "random" overwrites and a host of other professionals. It also wouldn't be used to bust a kiddy pornographer (is that a kid who makes porn, or ...) or the logs of a mob boss. It'd be used in espionage type issues, where there's more than money on the line.

      It's almost always destructive analysis too; they destroy the media getting the data and they don't get 100% so they can't put it on a new drive and put it back in the computer. If this happens you're gonna know it, at best they'd substitute a different drive to make it look like yours crashed. (Maybe that's why so many potential spies were sold the IBM 75GXP series drives - plausible crashes... :)

  • On the opposite side on the coin (Score:5, Informative)

    by Nailer ( 69468 ) on Monday January 14, 2002 @09:49AM (#2835839)
    Yes there are tools to thoroughly delete files on your computer, rather than just unlinking them when they're put in the trash, but it's the distributed nature of content these days that poses a special problem to the Ollie North's of the world.

    Well, I don't think any OS has ever been short of undeletion tools [uprm.edu] - in unix, one can grep the inodes on a disk for a particular known string of a file and recover it fron a known template. Tools like gpart [uni-hannover.de] (a partition guesser) also easily recover those vital 512 bytes of your hard disk.

    Where Unix has been lacking, behind most other systems, is the opposite - a good, reliable, trashcan. It might be interesting to note that there's now a reliable trashcan for Linux, BSD and other glibc systems th simply preloads and wraps unlink, `move and a couple of other system calls.

    Since glibc is a part of the Linux Standard base, it works along with every LSB standard app. Even better, it doesn't matter whether you delete the file from KDE, GNOME, shittyunixtoolkitforhellcirca1980something or a terminal.

    Anyway, check out Libtrash [m-arriaga.net]. And if you're a GNOME or KDE hacker, I'll give you a big hug if you use this as the default trashcan or your next release. :D

    • Well, I don't think any OS has ever been short of undeletion tools DOS 3.3 and earlier? Undelete was actually ridiculously simple -- all del did was to change the first letter of the filename in the directory to an illegal character ("?") and mark the space as free -- so eventually there were third party commercial and even shareware utilities, but Microsoft didn't release an undelete utility with the OS until at least v. 4.0.

      (This wasn't the only obvious and useful utility that was missing although it would only take someone who knew their way around the DOS source a few hours to write it. I have to figure that MS programmers either didn't use DOS much, or else didn't release the tools they used themselves when working in it.)
  • Syncronize all of your files with a version encrypted with a randomly generated key. Not instant, but they all become effectively "erased". (Unless your using some type of versioning system)

  • Easy (Score:2, Funny)

    by Anonymous Coward
    cat /dev/urandom > /dev/hda1

    repeat until satisfied
    • Or just make repeated copies of a large file that isn't private. This is even simple under Windoze - just create a DOS batch file to make the multiple copies.
      • I think it would be easier under unix. you could write a much better script that would do more. DOS batch files are pieces of shit compared to a decent scripting language.

  • rm -RP * on *BSD systems (Score:4, Informative)

    by redelm ( 54142 ) on Monday January 14, 2002 @10:00AM (#2835877) Homepage
    Of course `rm -R *` isn't enough -- it just unlinks files, but doesn't delete datablocks. To delete datablocks, try the -P option which overwrites the file data before unlinking. Unfortunately, this option is not available on GNU `rm` which is used on most Linux systems.
    • This interesting to learn. Good thing I run FreeBSD.
    • Of course `rm -R *` isn't enough -- it just unlinks files, but doesn't delete datablocks. To delete datablocks, try the -P option which overwrites the file data before unlinking. Unfortunately, this option is not available on GNU `rm` which is used on most Linux systems.
      It would be trivial to add that to GNU rm, but it's futile since there is another gnu tool for this purpose called GNU shred.
      From the GNU shred info node:
      shred overwrites devices or files, to help prevent even very expensive hardware from recovering the data.

      Ordinarily when you remove a file (*note rm invocation::), the data is not actually destroyed. Only the index listing where the file is stored is destroyed, and the storage is made available for reuse. There are undelete utilities that will attempt to reconstruct the index and can bring the file back if the parts were not reused.

      GNU shred is very featerful, as costumary in GNU utils, and has many flags to modify the behaviour.

      BSD ppl are always praising the 'Unix Way' of small utilities that do a very defined job and nothing more, and hate the extended features that GNU utils provide; in this case it's BSD rm that is doing something that could be done by another tool by adding a flag! Horror!

      Seriously, GNU shred is a good tool, and it can receive some interesting flags that a simple rm -P doesn't support.

      cheers,
      fsmunoz
  • Of course 'rm -R *' isn't enough...

    ... you need '-f'!

    Yeah, thats better.
  • Exploding chips [slashdot.org]. Just store the information on EEPROMs made from this material. You want to erase it? Just have it explode!

  • Use shred Instead (Score:2, Informative)

    by exor ( 21736 )
    shred -f *.*
    It kill DATA DEAD

    • Re:Use shred Instead (Score:5, Informative)

      by whovian ( 107062 ) on Monday January 14, 2002 @10:49AM (#2836047)
      The man page for shred says

      CAUTION: Note that shred relies on a very important assumption: that the filesystem
      overwrites data in place. This is the traditional way to do things, but many mod
      ern filesystem designs do not satisfy this assumption. The following are examples
      of filesystems on which shred is not effective:

      * log-structured or journaled filesystems, such as those supplied with

      AIX and Solaris (and JFS, ReiserFS, XFS, etc.)

      Using shred on ext3 does not seem to be a good idea. I use srm instead. srm overwrites the data 30+ different times using bit patterns and random patterns. The high number of overwrites is supposed not only to allow for slight deviations in alignment betweeen the drive heads and track on the platter, but also meets some very high (you might say "federal") standards, short of (or in some cases, followed by) incinerating the disk.

    • Re:Use shred Instead (Score:3, Informative)

      by Tim C ( 15259 )
      Unless you use a journaling filesystem. From the man page:


      CAUTION: Note that shred relies on a very important
      assumption: that the filesystem overwrites data in place.
      This is the traditional way to do things, but many modern
      filesystem designs do not satisfy this assumption. The
      following are examples of filesystems on which shred is
      not effective:

      * log-structured or journaled filesystems, such as those
      supplied with AIX and Solaris (and JFS, ReiserFS, XFS, etc.)


      There are a few other caveats, but that's the important one for me, given that I upgraded my machine at the weekend and only yesterday reinstalled Mandrake 8.1 with reiserfs for both my / and /home partitions...

      Cheers,

      Tim
    • and if you really want to delete all files, drop the old MSDOS pattern of *.*. Just use *. The *.* pattern requires a dot to be in the filename.

  • GNU shred (Score:3, Informative)

    by suso ( 153703 ) on Monday January 14, 2002 @10:11AM (#2835914) Journal
    There is a program called shred that comes with most distributions nowadays that overwrites the files with different patterns before unlinking them. There was something about this on Slashdot a while ago. This program seems to use a simular algorithm.
  • I was hired to recover files from a hard drive by a woman who was getting a divorce. Her husband had been cheeting on her. The moron had norton systemworks installed on his system and never defraged his drive. I was able to recover over a years worth of incriminating emails with nortons undelete. Boy was that easy money

  • Easy Solution... (Score:5, Funny)

    by telstar ( 236404 ) on Monday January 14, 2002 @10:12AM (#2835920)
    If you have problems destroying documents, you could always ask Arthur Anderson or Enron.

  • Some old BugTRAQ posts on this subject (Score:4, Interesting)

    by Effugas ( 2378 ) on Monday January 14, 2002 @10:30AM (#2835982) Homepage
    Bit busy -- finishing up The Book(TM) -- but I wrote a bit about this subject some time ago. Head over to: http://www.doxpara.com/read.php/security/secure_de letion.html

    There's a Part 2, and some other stuff over there too. yeah, the site needs to be updated desperately. Wait till feb.

    There's one piece of information that's very new and very, very cool: Apparently, some company has been going around the WTC crash site, picking out hard drives from crushed servers, and (though I can't imagine this) actually recovering data from the drives through all the crush damage and dust. I mean, yes, the concept that a non-portable, super expensive, very labor intensive read head would be able to recover significantly more data redundancy than some mass produced mag-head is unsurprising, but...damn.

    --Dan

  • US Government Outlaws File Deletion (Score:4, Funny)

    by t_allardyce ( 48447 ) on Monday January 14, 2002 @10:33AM (#2835992) Journal
    The US government today announced plans to impose restrictions on so called 'File Deletion' utilities, and possibly even outlaw them altogether, in the name of national security. "These file deletion programs can be used by terrorists to cover their tracks, and remove evidence." claimed a government security expert. "criminals such as Osama Bin Laden, can cover up any electronic evidence, and make prosecution impossible." However, civil liberties groups claim that the ban would infringe their first amendment rights. Other experts claim that anyone can create a file deletion program with even basic programming knowledge. We interviewed one expert who explained how: "One simple way to make sure your data is wiped clean, is remove the hard drive from your computer, and place it in a furnace for 15-20 minutes." the interview was cut short, when government agents stormed the building and arrested the expert for "discussing circumnavigation devices for data deletion".
    • > However, civil liberties groups claim that the ban would infringe their first amendment rights. Other experts claim that anyone can create a file deletion program with even basic programming knowledge.
      >
      >We interviewed one expert who explained how: "One simple way to make sure your data is wiped clean, is remove the hard drive from your computer, and place it in a furnace for 15-20 minutes." the interview was cut short, when government agents stormed the building and arrested the expert for "discussing circumnavigation devices for data deletion".

      All charges were dropped and Hilary Rosen was released later that afternoon.

      A spokesperson for Ms. Rosen was later quoted as saying "We are pleased the government clearly recognizes that the First Amendment guarantees our legitimate corporate interest in constructing new and innovative digital rights management schemes."

  • shred (Score:2, Interesting)

    by nzhavok ( 254960 )
    so what about shred then? From the man page:

    Delete a file securely, first overwriting it to hide its contents.

    By default it overwrites it 25 times, IIRC DoD standard is 7 times so it should be enough.

  • FreeBSD has rm -P (Score:5, Informative)

    by seanadams.com ( 463190 ) on Monday January 14, 2002 @10:43AM (#2836027) Homepage
    On some systems, rm has an option to nuke the contents of the file before unlinking it:

    man rm
    <snip>
    -P Overwrite regular files before deleting them. Files are overwritten
    three times, first with the byte pattern 0xff, then 0x00, and then 0xff
    again, before they are deleted.
    </snip>

    You can just put "alias rm rm -P" in your login script to make this the default.

    • Try using "obliterate" (Score:3, Informative)

      by gmcraff ( 61718 )
      FreeBSD users have the program obliterate in the sysutils part of the ports collection. It takes pains to overwrite the data in order to make sure the file, even if re-linked, is unusable.

      If I understand correctly, it open the file for writing multiple times first. First it writes 0s, then 1s, then alternate beginning 0s and 1s, then 1s and 0s, then patterns of 1s and 0s of all descriptions, then several passes from /dev/rand.

      The upshot is that even if you find the inode and relink to the data, it's been overwritten so many times than you really can't possibly recover it even using forensic methods.

  • In a book I read a while back (by Tom Clancy and Steve Pieczenik) in a series called 'Net Force' a super-geek (described as a brilliant genius) apparently had a bad childhood that caused him to want to wipe out any informational link to his family that might exist. The book is set in a time where the Internet is far more expansive than it is now, where all information is stored online and all communications take place online and search engines are all powerful. In this setting, the author introduces what he terms a 'killbot' - a small application or scriptlet whose purpose is to literally 'kill' information.

    The way it is described, these 'killbots' are illegal (big surprise). They apparently work by hacking into information sources turned up by search engines and removing the relevant information from the source's databases. While all very fictional, I wonder how far we are from something of this nature. Information may want to be free, but if someone wants to remove information by any means necessary, this may not be far off.

    Just a thought.

  • These guys have a cunning method [coincidencedesign.com] to make sure their data can't be read:

    "sensitive data is stored on hard disks which are hard-wired to physically self-destruct when tampered with"

    If you're lucky it might take out the investigating officer too...

  • Largely Irrelevant (Score:5, Informative)

    by dh003i ( 203189 ) <`dh003i' `at' `gmail.com'> on Monday January 14, 2002 @11:37AM (#2836255) Homepage Journal
    For most of us here, the gov'ts electron-microscope method of determining old data is irrelevant. How many of you here think that it'll be employed against you? That said, I suppose for those of us who engage in a big-time trading of files via P2P networks, & DeCSS, etc, there's always the possibility of criminal prosecutions. So, let me go over the 3 types of "data deletion", and say where each should be used:

    1. Typical deletion. Files are unlinked with their directories, so your OS does not "see" them and has more space available to write with. If the information is not sensitive, or you don't fear intrusion, this is the fastest, and also best, method of deletion. It simply changes the first character of a file name do something that your OS doesn't recognize -- a very fast process. The Advantage: data is recoverable via a data-recovery utility. The Disadvantage: the data has not been securely eliminated.

    2. Simple once-sweep wipe-over deletion. Either random 1s and 0s, or wholly 1s, or wholly 0s, are written over an entire file. Use this for data that is sensitive, or where you fear cyber-intrusion by hackers. The Advantage: data is securely eliminated, beyond the reach of anyone who hacks into your computer. The Disadvantage: data is irrecoverable to you, should you realize you made a mistake, and this process is slower.

    3. A multi-sweep wipe. Same as above, but many sweeps are performed, enough to make typical electron-microscopy methods of data-recovery inviable. This method effectively makes data irrecoverable by any means. Electron microscopes can detect "old zeros" by ghost-patterns, a slight trace. But if data has been written over many times, the older data is impossible to recover even by those methods. The Advantage: this method securely removes the data, beyond the reach of any technological means. The Disadvantage: this method is very slow, and again, data is irrecoverable should you learn you made a mistake.

    It should be noted that whenever you want to securely delete data, not only do you need to wipe the file, but you also need to wipe your swap files and your temporary files.

    So, let me summarize when each of the methods of "data-removal" should be used, starting with the strongest method (a multi-sweep wipe), and ending with the weakest method (the renaming of the first filename character to something unrecognizable):

    1. A multi-sweep wipe. Use this when you have data on your computer that could be used against you in a lawsuit or prosecution. For example, certain kinds of pornography, copyrighted files, warez, and other various information that's been deemed "illegal" by the Information Police in the MPAA, RIAA, MS, and the US Gov't.

    2. A single-sweep wipe. Use this for information that is sensitive, but that you need not fear should the government get ahold of. For exmaple, financial files, files containing credit-card information, etc -- anything you'd want to protect from online-hackers using data-recovery programs. The government, though draconian, has not been known to steal people's credit cards using electron-microscopy. Similarly, hackers have not the resources to use electron-microscopy to acquire your credit cards -- nor would it be worth it. However, if your a high-tech company selling your computer equipment to another company, a multi-sweep delete of your files may be necessary to protect your information from competing companies, who may have bought your machinery through another company as a front.

    3. A deletion that dissociates the file from the directory (renames the 1st character). Use this for non-sensitive data. For example, stories you've written, calendars, lists, ideas, old programs, pictures, etc etc.

    Hope this has been helpful -- and please, remember, if you want to securely remove sensitive data either by a single-sweep wipe (to protect it from hackers) or a multi-sweep wipe (to protect it from the government), please remember to also securely remove swap files and temporary files as well!

  • Many contracts say that at some point after the contract ends you have to delete whatever copies you've got of the confidential documents, source code, whatever.

    It's not that hard to delete copies from your hard disk, shred the hard copies, and remember to "really delete" it all from your source code control system.

    But who, in the real world, goes through their backup tapes, CDs, whatever, trying to erase individual files? or even parts of files? whilst not destroying other data - it just can't be done.
  • I wish I could find the link the Feds use as guidelines for grabbing systems from suspects... Its a good read.

    Anyhow, blasting the actual file is not enough. When you go to clean stuff off, make sure that chunk of hard drive (virtual ram) is flushed out as well - both *nix and windows. RAM drives go a long way here, if you were lucky enough to pick up a stack of 512M sticks when they were cheap.

  • When you're done with a big job, always wipe. (Score:3, Insightful)

    by Webmoth ( 75878 ) on Monday January 14, 2002 @12:44PM (#2836562) Homepage
    I find the following command useful:

    # dd if=/dev/random of=/dev/hda

    This is assuming, of course, that if your root partition is on /dev/hda, you don't mind reinstalling everything. It's sort of an OS suicide command.

    Using random data as opposed to zeroes is more secure because writing zeroes may leave a readable residual magnetic signature on the media whereas random data tends to obscure the mag sig.
  • dd if=/dev/random of=/home
    Use whatever is appropriate instead of /home

    You can also overwrite files with zeros (such as the ones that come from /dev/zero or /dev/null), but the problem is that after such procedure, by physically examining the disk, one can often reconstruct the pre-existing data WITH A CERTAIN DEGREE OF ACCURACY.

    hth
  • Having recently left a job teaching police and customs officers how to get in to other people (read criminals) computers I zeroed my pc before I left. My ex-employers are still trying to work out whether or not I was being malicous. The next user will probably want to stuff some version of M$ on it anyway so I claim I was being considerate.

  • My Exercises in Paranoia (Score:3, Interesting)

    by Deagol ( 323173 ) on Monday January 14, 2002 @01:26PM (#2836824) Homepage
    (For context, I run Linux 100% of the time on my machines.)

    Continually write cruft to hard drive: Run a batch script that continually loops through: 1) dd from /dev/zero to a dummy file on partition; 2) delete when drive fills; 3) dd from dev/urandom to same file; delete file. As the drive will have many writes to it, it would make things very tough to recover. This never had much performance impact on the machine.

    I wish I could find a utility that cleans out inode information, much like the dos/win utils that scrub deleted filenames from the FAT.

    Edit documents and browse web from a virtual machine on an encrypted device:

    I use the loopback patches (/pub/linux/kernel/people/hvr at your local kernel mirror) to run an encrypted device. I then use VMWare (though bochs, plex86, or User Mode Linux should work) to run Linux and Windows for browsing and email writing. Note that VMWare has a nice "undoable" disk feature, in which you can "commit" or "discard" changes to the virtual disk. So I have a pristine Win95 VM, which I log into to do my stuff, and then I discard the changes, thereby removing cached macterial, cookies, etc.

    Note that this doesn't thwart traffic analysis or "rubber hose" tactics. In fact, once the loopback devices are mounted, you can perform standard file/data recovery techniques on them.

    Use file encryption for email and sensitive files. I use GnuPG for this.

  • Why no discussion of file slack space? (Score:5, Insightful)

    by Goldenhawk ( 242867 ) on Monday January 14, 2002 @02:00PM (#2837031) Homepage
    I'm surprised I've seen no discussion here of the very basic problem of file slack space - that unallocated space at the end of the last sector of every data file, except those that exactly fill a disk sector. Most of the methods described here for easy ways to wipe empty hard drive space do not overwrite all the file slack space. You need a program that does that explicitly. Otherwise every sector with the tail end of a file contains easily recoverable data, although disassociated from any filename. Given that the slack space on a hard drive averages out to $sectorsize*$numfiles/2 (on average, 1/2 of a sector, times the number of files), the average 40Gb hard drive with 10,000 files might have 50Mb or more of recoverable data, even if the "empty" space were completely and unrecoverably wiped.

    I learned about this while preparing to publish a program commercially, and discovered that (at least at the time) files I copied to the distribution media master sometimes contained sensitive data, such as the source code, from my own hard drive. Basically, DOS wasn't very picky about copying a few extra bytes along with the actual file length, as long as the extra bytes didn't go past the end of the destination sector. The answer? I used a slack wiping program on the master disk before sending it for duplication.

  • You have to press 'y' too many times (Score:4, Funny)

    by debrain ( 29228 ) on Monday January 14, 2002 @02:02PM (#2837050) Journal
    'rm -Rf star' is much preferrable, or '/bin/yes | rm -R star'. Otherwise you would be there all day pressing 'y'. You could always do it the Homer Simspon water bird way...

    (I know ... offtopic and frivilous...)

Slashdot Top Deals

Say "twenty-three-skiddoo" to logout.

Close