New Jersey just released a report of a state audit that showed that almost 80 percent of the used computers it was ready to auction off contained information. In some cases the disks included sensitive personal information that could be used for identity theft. The full report is available here.
It is pretty safe to say that within the community of computer forensic examiners absolutely nobody was surprised at this. Four years ago Fulcrum did a similar examination of disks randomly bought on eBay and found both a similar frequency of data available and existence of personal data.
Although personal misconduct is hinted at in the report from a technical standpoint I believe that the problem stemmed from three things:
- Common misperceptions regarding data destruction.
- Regulations that did not reflect current technologies.
- Regulations that did not reflect current economics.
Unfortunately the temporary ‘solution’ which New Jersey is pursuing will actually make the problem worse.
1. Common misperceptions about data destruction.
Burn these facts into your memory: formatting a hard disk erases absolutely no data. The warning which most systems give you about formatting erasing all data on the disk was true with floppies and with 1980′s hard disks. That warning has hung around, but from an actual data destruction standpoint the warning is incorrect. In addition there is no difference in data destruction between a quick format and normal format. The latter error-checks the disk surface, but the error checking does not change any of the data on the disk. Finally the ‘low-level’ format is a myth. Modern hard disks will take the commands to do such a format and ignore them.
The procedure that will actually remove the data from the disk is called a wipe. It involves writing new data over the entire hard disk. Unfortunately doing a wipe is not an obvious process because how do you wipe a disk drive that the computer is using to run?
For any purpose other than top-secret classified information a single pass of zeroes will serve to make the drive look like it has never been used by anybody. For top-secret information the military requires a multi-pass technique.
2. Regulations that did not reflect current technologies.
New Jersey set forth a four step process for destroying data on a hard disk.
- Remove the drive.
- Degauss the drive using a special device that contains a powerful electromagnet.
- Return the drive to the computer and perform a low-level format.
- Re-install the operating system.
That is a fine set of instructions…for 1985. For a current technology drive using a degausser would render the drive useless. Remember how I said that the low level format is a myth from earlier days? With current hard disk technology step 2 makes steps 3 and 4 impossible. When the facts of the regulation are impossible to follow the intent of the regulation, data destruction, gets ignored too.
3. Regulations that did not reflect current economics.
The latest ad from Fry’s Computer shows a brand name new 500 gigabyte hard disk for $38. How much could a used one be worth considering that hard disks do eventually fail? Now look at the four step process outlined in the New Jersey regulation. Is there any way those steps could be completed by a computer tech fast enough to be worth the value of a used disk drive that sells for $38 new? Even if instead of degaussing the drive they connected it to another computer and ran a wipe program and then skipped re-installing the operating system (since you don’t really know what OS the buyer will want anyway) you are still likely not looking at an economical expenditure of time. Now to be absolutely clear the moral obligation to protect confidential data supersedes any profit motive in selling the used equipment. However, it is likely that the state’s surplus property program was expected to be a revenue generator, which puts pressure on the employees to spend as little on the problem as possible.
So how do you wipe a computer properly and economically?
It would be great to have a method that did not require the time and effort to open up the computer, remove the disk(s) to someplace else, and then reinstall later. It would be great to have a method where, presuming that the computer could run at all, just needed to change something on the outside, turn the computer on, and walk away while the computer on its own completely wipes every byte of every disk in it. But I know that you are thinking…no way is there anything like that, and if there is how do I make sure I never do it by accident!
Well there is such a method. It is most commonly called Boot-and-Nuke from the most common program that does it called Darik’s Boot And Nuke (DBAN). Essentially you put DBAN on a CD or on a USB drive for computers without a CD drive. Then you power up the computer, check the BIOS setup so it will boot off of the DBAN CD or USB, and then boot the computer. The computer will then be running a tiny version of Linux solely off of the CD or USB, leaving all the disk drives entirely free for wiping. Tell it the drives to wipe and walk away. Come back later (a 500 gb drive will take about two and a half hours to do a one pass wipe), remove the DBAN disk, turn the computer off, and it is ready to be safely donated or sold with a blank disk.
What New Jersey did instead.
In case you haven’t already guessed from the ‘instead’ part the New Jersey Comptroller did not simply have the surplus equipment program switch to using a free, simpler, faster, and easier method when it was apparent that the regulation methods were outdated, uneconomical and ignored. No, they continued the audit study for two and a half years and then decided that the individual departments had to remove the hard disks themselves before sending the surplus computers to the warehouse. Then each of the individual departments had to take responsibility for wiping and disposing of their own hard disks.
As a result:
- Rather than just having one department know about how to properly wipe a hard disk they all do, increasing the chance that the disks won’t be wiped properly.
- The unnecessary step (with DBAN or a similar program) of having to remove the hard disk from the computer becomes required.
- The state can only sell computers without hard disks through its surplus program. At the same time it has no central way of disposing of the surplus hard disks, which will now be spread all over the state government.