Feeds

Working up an appetite for destruction

Data disposal without tears

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Crush, Kill, Destroy

When it comes to deciding what data you should jettison, I'm going to have to leave that up to you and your legal counsel (did I mention that I'm not a lawyer?). Basically, if you're not legally obligated to keep it, and there's no real technical reason, I'd encourage you to get rid of it. Erase it, and make sure that you remove the backups as well. If you're really going to destroy data, then make sure you get all of it, which of course leads to another important consideration: where is the data we want to get rid of stored?

One of the most obvious locations of data that should be removed is the hard drive. Unfortunately, this is also where a lot of mistakes are made. Simson Garfinkel recently published a fascinating and revealing article titled "Remembrance of Data Passed: A Study of Disk Sanitization Practices" (882 kb PDF) that every security pro should read. Garfinkel and his associate acquired more than 150 hard drives from eBay and offline sales, many of which were supposed "erased". They were able to recover data from 64 per cent of the drives. Some of the data they recovered included:

  • 3,722 credit card numbers
  • Bank account numbers, access dates, account balances, and even ATM software from a hard drive used in an ATM machine in Illinois
  • Memos about corporate personnel issues
  • Email messages
  • Pornography

Garfinkel's larger point in his article is that merely formatting or fdisking a drive really does very little (in fact, fdisk only overwrites about 0.01 per cent of the drive's sectors). Data is still easily recoverable. To really erase the contents of a drive, sanitization software is required. Fortunately, there is some very good, very inexpensive (or even free) software available that can take care of this problem, no matter if you're using Windows, Mac OS, or *nix. Garfinkel recommends some software, but you can easily find other lists elsewhere.

Keep in mind that the software above will truly erase a drive, but still leave it usable. If you really want to make sure that data from a drive can't be recovered, and you want to work out your frustrations, then get a ball-peen hammer and beat the hell out of that drive until it's in pieces. Ain't no recovering that data.

Of course, you need to worry about more than just hard drives. What about USB drives? Palms and Pocket PCs? Cell phones? Laptops used by employees? Backup tapes, CDs, and DVDs? Routers? All these devices have the ability to store data on them that you may want to wipe. Heck, even the Furby - a talking doll - was a problem for the NSA a few years ago. All of these devices need to be covered by your policy, since any of them could be requested in a lawsuit.

Security for virtualized datacentres

More from The Register

next story
It's Big, it's Blue... it's simply FABLESS! IBM's chip-free future
Or why the reversal of globalisation ain't gonna 'appen
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
Bitcasa bins $10-a-month Infinite storage offer
Firm cites 'low demand' plus 'abusers'
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
CAGE MATCH: Microsoft, Dell open co-located bit barns in Oz
Whole new species of XaaS spawning in the antipodes
Microsoft and Dell’s cloud in a box: Instant Azure for the data centre
A less painful way to run Microsoft’s private cloud
AWS pulls desktop-as-a-service from the PC
Support for PCoIP protocol means zero clients can run cloudy desktops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.