Infosanity's Blog

Cleaning the harddrive of any machine, be it desktop, laptop or server, before either repurposing or selling (or even scrapping), should be a basic requirement of any organisation. But there is a seemingly unrelenting stream of reported incident, some of which coming from organisations that really should know better, MI6 and military contractors for example.

Is securely wiping data from drives really that difficult? Not really.

Simply boot the system with nearly any live linux system (I use Knoppix for this kind of work), then simply use dd (discussed previously to image drives) to overwrite the drive with random data. For example:

dd if=/dev/urandom of=/dev/sda

This simple overwrites the entire physical drive, sda, with random data taken from the pseudo device /dev/urandom. For more indepth info on wiping with dd and some different options see this guide.

The downside to wiping drives in this method is the length of time involved, in recent cases I have seen a 80GB drive take a little of five hours to complete.

Disclaimer: this may not make your data completely irratrievable but it should be enough to prevent the data being obtained by the simply curious. To truely ensure irratrievable data, try this method.

Disclaimer’s Disclaimer: Server destruction should only be carried out be trained professionals, InfoSanity accepts no responsibility for loss of live, limb or eyebrow)

– Andrew Waite

Quick heads up to anyone following the Phorm/privacy debates: The government’s response to an e-petition to ask the government to stop ISP’s from breaching privacy laws has been released.

The full response can be read here, it’s fairly short so I won’t go into too much detail, but I’m glad to see the government is taking this seriously and not passing the buck to the ICO (the ICOs view):

ICO is an independent body, and it would not be appropriate for the Government to second guess its decisions. However, ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology. They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected.

“Thank you for bringing this to our attention; your concerns are very important to us; your concern will be answered shortly…”

– Andrew Waite

New story seems to be everywhere at the moment. It appears that the BBC has ‘investigated’ the impact of botnets by hiring a 22,000 strong herd and ‘testing’ on there systems, but still utilising 22,000 compromised, private machines. Original BBC article is here.

There have been many sites (The Register and The Guardian) have asked the question as to whether this is legal. The BBC article claims that:
‘If this exercise had been done with criminal intent it would be breaking the law.’
Although several places have pointed out that criminal intent is not required for a criminal act (IANAL so please don’t quote me on that).

The ‘ethical’ botnet/virus/trojan/etc. has been debated for many years (discussed in Aggressive Network Self-Defense and debated by the Tipping Point team during their analysis of Kraken). Personally I think it speaks volumes that the technical experts stop short the actions taken by the BBC, but the journalists blow through without compunction.

Will be interesting to see how this plays out.

– Andrew Waite