A recent pointer to Peter Guttman’s new book on security engineering (looks good, by the way) reminds me that Guttman’s name is associated with the woeful tale of disk erasure norms.
The argument goes this way: ‘normal’ file erases (from your windows shell, say) merely change pointers in tables, and do not remove any data from the disk. A fairly unsophisticated process will recover your ‘deleted’ files. Wiser people ensure that the file is deleted from the media itself – by writing zeros over the sectors on the disk that formerly contained the file. Guttman’s argument was that because of minor variations in disk head alignment with the platters, this is insufficient to ensure the complete removal of the residual magnetic field from the former data. There is a possibility that, with the right equipment, someone could recover the formerly-present files. So he has an algorithm involving, I think, 35 passes, writing various patterns, calculated to destroy any remaining underlying data.
Now, the problem appears/appeared real enough: various government standards have, for decades now, ruled that magnetic media which has held classified material cannot be declassified but must be destroyed before leaving secure custody. Whether anyone has ever managed to recover a non-trivial amount of data from a once-zeroed disk is much less clear: as far as I know, there’s not a lot in the open literature to suggest it’s possible, and none of the companies specializing in data recovery will offer it as a service. Furthermore, since Guttman did his original work, disk design has evolved (and the ‘size’ of the bits on the disk become so small that any residual effect is going to be truly minimal), and disk manufacturers have built a ‘secure erase’ into their controllers for quite a few years now. Even better, the new generation of self-encrypting drives can be rendered harmless by the deletion of just one key (don’t do this by accident!).
Yet, the perception persists that the simple solutions are insufficient. Let us leave aside Government security standards and think simply of commercial risk. Multi-pass erasure is downright time-consuming. You can buy a disk-shredding service – but this attracts quite a fee. So it is not uncommon simply to archive used disks in a warehouse somewhere (with or without a single zeroing pass, I suppose). How long you would keep those disks for is unclear: until their data ceases to be valuable, I suppose. But without a detailed inventory of their contents, that cannot easily be determined. So perhaps you have to keep them forever.
My simple question is: which attracts the lower risk (and/or the lower total predicated cost)? (a) Zeroing a disk and putting it in a skip, or (b) Warehousing it until the end of the lifetime of the data it holds? You can postulate whatever adversary model you wish. The answer is not obvious to me. And if we can’t make a simple determination about risk in this case (because, frankly, the parameters are all lost in the noise), what possible chance do we have of using risk calculations to make decisions in the design of more complex systems?