Computer privacy?

kev1-1

Enlightened
Joined
Oct 23, 2002
Messages
585
Location
England
I used to have Norton Internet Security 2003 installed, which came with a file shredder that conformed to DoD standards. Does anyone know a reliable, and hopefully free!, programme that does this?

Ideally, I would like to be able to delete individual files but I have an old hard drive which needs wiping completely.

Thank you!
 

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
Let me know if you need a program that runs under linux. I can provide it.

I must ask, why would you need it? It takes VERY sophisticated equipment to recover information that has been erased and over-written even once. The DoD standard is something along the lines of 7 overwrites with various patterns and random data sources.

If a disk is already dead, you can 'erase it' by many means. I understand an arc welder does a great job. I bet a local machine/welding shop might do it for free just for the fun of it. Heat plus electrical fields plus physical damage! If it's not dead, you can use a batch file to repetitively copy a large file to the drive over and over.

Daniel
(P.S Thermite is a favorite for spy stories about hackers. A little bit on top of the drive, ignite it and nothing left to examine)
 

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
I forgot about the mundane. You can have tapes and disks 'degaused' by teh same companies that provide shredding service. You can buy your own degausser.



Daniel
(P.S. One hacker supposedly installed an coil around the door jamb and activated it when the door was opened if the computer was turned off. . The FBI agent pulled the power from the computer and carried it to the truck, only to find the disk was erased. The coil created a magnetic field that srambled the data fairly well.) Have you guessed that I used to be in the computer security field? /ubbthreads/images/graemlins/smile.gif
 

kakster

Flashlight Enthusiast
Joined
Feb 6, 2003
Messages
1,903
Location
London, UK
An unshielded AV subwoofer placed next to the computer works rather well, as i once found out by complete accident. Watch an action movie with lots of explosions and if the magnetic field doesnt trash the drive, the vibrations will do a pretty thorough job on the mechanisms.
 

Sub_Umbra

Flashlight Enthusiast
Joined
Mar 6, 2004
Messages
4,748
Location
la bonne vie en Amérique
[ QUOTE ]
...It takes VERY sophisticated equipment to recover information that has been erased and over-written even once.

[/ QUOTE ]

VERY sophisticated equipment is becoming the norm. Your drive writes to the platter using a head that was state of the art years and years ago. Your drive may be dissassembled and write traces may be read by reassembling them into a drive equiped with heads a little closer to the state of the art than your's are. This equipment is in the process of being commoditized and its use is no longer confined to those with pockets as deep as the Fed.

[ QUOTE ]
...The DoD standard is something along the lines of 7 overwrites with various patterns and random data sources.

[/ QUOTE ]

The 7 pass DoD standard has two things wrong with it:

1)-- It was written a really long time ago and HDD heads have really come a long way since then.

2)-- Data overwriten seven times could still be read at the time of the initial writing of the standard with what were then state of the art heads. The standard was written to guarantee that any data wiped with that method would be recoverable by anyone with the right hardware. Peter Guttman (Da Man) said as much way back in the mid 90s.

The trend towards more advanced, cheaper, more accessable equipment will only make secure deletion of sensitive data more and more problematical in the future. We are rapidly reaching a convergence where it will become impossible to assume that any attacker lacks the resources to read 'securely deleted' files.

The bottom line is that in the real world it must be assumed that there is no reliable way to remove plaintext which has been written to a hard drive. So the safest approach is simply to NEVER write sensitive data to any hard drive in plaintext. That is the reality.

Write to transparent encrypted volume(s) or just transparently encrypt your whole drive, OS and all.

Just say no to plaintext.
 

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
I have to agree, encrypted volumes are better. Even that's not perfect, as it assumes that 1) you've protected the keys well enough and 2) the encryption has no weaknesses. It's not often that both of these happen among lay-people.

Encryption plus wiping works well, simply because the tech has a hard time figuring out when they have garbage and when they have data.

As for better heads, at the same time we have drives that are more sensitive and that use weaker signals. Where they gain in reading capability from better tools they lose in weaker singals and more data per square mm.

Personally, I figure I don't want any information on my computer (encrypted or otherwise) that I would not want on the front page of the local paper.

Sadly, most of the used drives and used computers I've bought were not wiped or even formated. I had internal IP addresses and host names at the JPL (Jet Propulsion Lab) on one system that I bought. I wiped that one myself.

To play devils advocate, if the department of home land security (why do I always want to type 'fatherland'?) wanted info on me they would simply serve a warrant while I was away from home. They'd fake a power fialure to crash the syatems, then they'd duplicate my drives and add spyware to watch what I do. All perfectly legal. They spend months and years on these things.

Daniel
 

paulr

Flashaholic
Joined
Mar 29, 2003
Messages
10,832
Really what kind of measures are worth bothering with, depends on who the adversary is and what kind of data you have.

What I suggest for most people is use a laptop computer and keep it locked in a drawer when not in use. IBM laptops in particular support a hard drive password that, while it does not encrypt the drive, can't be bypassed without the capabilities of an electronics lab.

If you're doing something -really- hush-hush, you need to encrypt the drive.
 

tiktok 22

Flashlight Enthusiast
Joined
Sep 8, 2002
Messages
1,273
Location
Illinois
I always format very small and useless hard drives I've used in the past with a 20 pound sledge hammer!!!! /ubbthreads/images/graemlins/grin.gif It works great and it's really fast!
 

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
The problem with brute force is that it leaves the magnetic tracks there. It's possible to smooth out the platters and mount them on spcial spindles in a recovery center. Very expensive, very time intensive and not generally worthwhile, but a possibility.

I figure no one will ever really want to go through that much hassle looking for my info. If they ever do, they will be sadly dissapointed with how little there is to find.

Daniel
 

Sub_Umbra

Flashlight Enthusiast
Joined
Mar 6, 2004
Messages
4,748
Location
la bonne vie en Amérique
[ QUOTE ]
gadget_lover said:
...I figure no one will ever really want to go through that much hassle looking for my info. If they ever do, they will be sadly dissapointed with how little there is to find.

Daniel

[/ QUOTE ]
I'm afraid mine would be disappointing, too.

OT

From 'civic minded' point of view I think that it is much better for society as a whole if more people would guard their data and (therefore their privacy) much more carefully -- as though they had something to hide.

It really doesn't bother me that my government can read my email. What really gets me is that they can read my email SO CHEAPLY! While part of the government can go to the courts and get some doddering judge to grant permission for them to monitor my snail mail, the whole process is prohibitively expensive. That's GOOD from a privacy point of view. It is so expensive and resource intensive that they must weigh the facts very carefully before deciding to monitor the snail mail of even one person! For the same expenditure of resources I'd guess that they could monitor a couple HUNDRED THOUSAND email accounts for keywords.

My point is that if it is cheap and easy enough to surveil the entire population, that is where we will eventually end up. So from my point of view, everyone should encrypt everything. I don't care if someone wants to read my email and has the ability to do so. I just want to make damn sure that it will be expensive enough that it won't be sucked up with a vacuum cleaner and filtered on a wholesale level. To a lesser extent, the same applies to hard drives.

In some countries (like Germany) which have very recent memories of total government intrusion and no privacy, good citizens are encouraged to use encryption even for routine email for this reason. A couple years ago the German government even set up a website so it's citizens could PRACTICE sending and receiving encrypted emails.

They realize (correctly) that a combination of rapidly advancing information technology coupled with citizens who tend to be apathetic about their own privacy can lead to disaster when mixed with the all too human nature of public officials.
 

RussH

Enlightened
Joined
Jun 13, 2003
Messages
598
Location
MS
Sub Umbra has it right. As he said "My point is that if it is cheap and easy enough to surveil the entire population, that is where we will eventually end up."

It already has being done, the people engaged in ID theft are the dumb crooked ones. The real stuff hasn't hit the fan yet. I know people who have been in law enforcement for years, and they can't believe how easy it is to get information (and the kinds) these days.

I don't want my information out there wholesale either, but my life history is all over public and semi public computers (like the DMV). All I can hope to do about 20 year old information is move more often. All any one needs to know is your birthdate. It's better if they know where you were born, but just a name and birth date brings up enough information to find out the rest once someone wants to look for it.....
 

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
I'll third that.

I worked at the phone company as a tech years ago.
When the feds had to get a warrant to tap a phone line, I saw only one a year in a switching office with 10,000 phones. Big yellow box that sat on the floor; hard to miss. That was in a town with a high crime rate.

Now they need the ability to do it without detection and without a warrant? Why?

I'd use encryption if I had any faith in it. I'd send encrypted e-mail, but then I'd have to teach my parents how to use it. They live in different states. they are in thier 70s.

That's where the problem starts. If they need help I can't tell them over the phone, for once an pasphrase is compromised it has to be changed AND any data that it protected that might have been copied is also compromised. The phone may be tapped (mine or theirs). The mail may be read. The PC could have keystroke logging programs. Did you know there's a keyboard cable that records your keystrokes? $49.99!

So I don't bother.

Of course, if I talk my clients into it, I can make a fortune teaching them how to use it every few months. Hmmmmm...



Daniel
 

Sub_Umbra

Flashlight Enthusiast
Joined
Mar 6, 2004
Messages
4,748
Location
la bonne vie en Amérique
No security will ever be perfect.That is the nature of the beast. We owe it to ourselves to try to make our communications/data more secure. Yes there are key-loggers, Trojans and countless other tools that attackers can use against us but we shouldn't let ourselves feel so helpless that we refuse to take any action on our own behalf.

While the various countermeasures are imperfect, whether they be hardware, software or services provided by a third party, we gain a great deal of security through their use, anyway. Anything out of the mainstream that you do to secure your data will require added analysis, tools, action and greater expense to attack than if you do nothing. Right now in the States, 'Joe Consumer's' data is pretty much a monoculture. It's in plaintext. As I inferred before, it can all be sucked up and dealt with very cheaply as a wholesale commodity. Almost any action you take to secure your data/comms will at least have the effect of de-commoditizing it and making it much more expensive to read.

There is something else about 'Joe Consumer's' attitude about his data that really bothers me. His irrational fears have caused him to go into a paralysis where he refuses to do ANYTHING to make his data safer.

Let me give a couple of examples in the real world where people find an identical standard perfectly adequate for every aspect of their lives except for their data and computers.

Why do you lock your house/apartment doors when you go to work? Don't you know that someone could pick the lock? Don't you know that they could just crash in the door if they wanted to get in? Of course you know that. You lock your doors because you know that it helps -- that in fact it is quite a bit better than doing nothing.

Why do you lock your car? That's even worse than your house. Even more people are skilled at entering locked cars. There are many more methods to enter a locked car than there are to enter a locked house -- including towing it away! All of the anti-theft measures we use with our cars are imperfect. Locks, alarms and LoJack can all be defeated by a determined attacker. Yet people still lock their cars.

I find it really weird that we embrace these imperfect methods for our houses and our cars and yet we demand perfection for our computer security -- or we just won't play the game. In any discussion of computer security there are always those who pipe in with reasons why various methods of securing a computer and its data are imperfect, which is their stated reason for inaction. And yet these same people lock their cars and homes when they leave and are somehow able to accept these very imperfect solutions for the physical security of their own personal property.

I don't mean to sound like I'm responding to any particular poster here. I've just noticed this trend in EVERY discussion I've ever heard about consumer level computer security and I'll admit to spending far too much time pondering personal privacy issues. It just fascinates me. Deeply.
 

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
As an amateur locksmith and a certified computer professional (ISCP certified) with a security background, let me explain the difference....


You lock your physical property with what you believe to be strong locks (most have no idea how strong they are) because it's easy to do and you want to block casual thieves. You value what you think is being protected. The assumtion is that anyone could try to break in at any time. You are the only one who needs to unlock it. You can easily give keys to whomeever needs one.


Most people think that sending an e-mail from their computer to their mother is a point to point transaction. They don't realize that there may be up to 100 employees of various ISPs that could monitor an individual message. They think it's safe. They also don't lose anything of value when joe_the_network_guy snoops packets and reads their note to grandma. Grandma still gets the note and they never know it was snooped.


The reality is that an ISP employee is very unlikely to target a message from you to anyone else. Like a post office employee, they are too busy to bother most of the time.

I don't feel helpless, by the way. If I want to get secure information to someone I send them an encrypted copy, a link to a program to decode it and I call, visit or write them to give them the key. I still don't know if their computer has been compromised, but it's a start.

Sub_umbra; Let me point out that you did absolutely nothing to make your last post more secure. You did not even obfuscate the subject nor use euphemisms to hide your meaning. You did not PGP sign it to ensure it was not altered. You did not ROT13 encode it or even type it backwards. Why? I suspect because 1) there was nothing to hide and 2) There was nothing to lose and 3) because you wanted people to be able to read it. Plus, it'a a hassle.


Zbfg crbcyr ner pbaprearq nobhg frphevgl hagvy vg pnhfrf na
vapbairavrapr. Gung vf gur onar bs gur frphevgl cebsrffvbany.


Daniel
 

Sub_Umbra

Flashlight Enthusiast
Joined
Mar 6, 2004
Messages
4,748
Location
la bonne vie en Amérique
[ QUOTE ]

As an amateur locksmith and a certified computer professional (ISCP certified) with a security background,...

Sub_umbra; Let me point out that you did absolutely nothing to make your last post more secure. You did not even obfuscate the subject nor use euphemisms to hide your meaning. You did not PGP sign it to ensure it was not altered. You did not ROT13 encode it or even type it backwards. Why? I suspect because 1) there was nothing to hide and 2) There was nothing to lose and 3) because you wanted people to be able to read it. Plus, it'a a hassle.


[/ QUOTE ]
Emphasis mine.

I didn't mean any offense. I explicitly stated that I was only addressing issues, not posters.

As far as your assertion that I 'did absolutely nothing to make my post secure', you're wrong. Perhaps it did not appear to meet your security standards. Your security standards are not an issue when it comes to my posts on CPF. It was very secure by my standards. I used an stunnel proxy to a server a thousand miles away from where I live (that is, if you can really believe a guy like me /ubbthreads/images/graemlins/grin.gif). If you knew my ISP and put a carnivore box on it you wouldn't get Jack on my posts that way. /ubbthreads/images/graemlins/grin.gif Even if you have access to the CPF servers -- you're still not going to get Jack on my posts. /ubbthreads/images/graemlins/grin.gif You're going to get exactly what you're reading right now. Period.

As far as the security of my posts goes, they look pretty much like what I wrote.

I know enough not to make stupid challenges to people I don't know, but since you brought it up, aside from the stunnel use, there are still a half dozen measures I've taken that I haven't told you about -- you're at least three subpoenas and quite a bit of good old fashioned legwork (read expensive) away from my real name.

Things are not always what they seem -- even for certified computer professionals. Actually, if that's what I look like to certified computer professionals, then I'm still on the right track. Thanks for the critique. /ubbthreads/images/graemlins/grin.gif

As far as obfuscation goes, in my posts, I see no need for it. I used no dangerous key words. If I'm going to be taken away in the night for what I've written here today I'll be pretty far down a very long line of folks far more rad than I. I'll just part my hair on the other side and move if I see that trend beginning. I wrote my posts with the intent of being easily understood. Just being understood is truly enough of a challenge for me in this world. I tend to use obfuscation on other levels...

I'm sorry if I've offended you in some way. That was not my intent. I just tend to be a little evangelical about privacy issues...sorry.
 

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
Damn! I forgot to point out that I was having fun again! I'm not offended in any way. I LIKE security and wish it was practical to educate more people so that we'd have fewer DDOS, Phoshing and Spoofing problems.

I AM HAVING FUN:

[ QUOTE ]
As far as obfuscation goes, in my posts, I see no need for it.

[/ QUOTE ] That was my point. During most of our life, theres no reason for privacy nor security.

Using Stunnel to a distant proxy is, by definition, a reason to look into your actions under the homeland security act. How do you know the proxy has not been compromised?

Because you are using half a dozen other measures, you probably use the same ones consistantly. That makes it easier to plan an intercept.

We've discussed Computer, privacy, Encryption, Stunnel, proxy, security, homeland security, ISP and Carnivore. What makes you think we have not triggered something based on key words?

Personally, I'm also a privacy advocate. I would love it if every law change brought about by 911 were undone. The various agencies had plenty of data that would have prevented the disaster if only someone had understood the significance. They had plenty of tools that they did not use.

The law that allows warrentless searches and spying on personal communications is a people problem, not a technological one. So are the laws that protect copyright forever, except in wierd cases. Did you know, for instance, that every PM you send via CPF belongs to Sasha? Did you know that if you are exchanging PM's regarding a miracle invention, Sasha could sell that to someone and it's totally legal.

Yeah, there's lots to fix. It just occured to me that the advocation of encrypting everything tends to come from those that wish to create enough smoke that they are not noticed. Hiding anything? /ubbthreads/images/graemlins/smile.gif

Please, remember I'm just having fun. Say stop and I will. Don't get offended.

Daniel
 

tvodrd

*Flashaholic* ,
Joined
Dec 13, 2002
Messages
4,987
Location
Hawthorne, NV
My read of Daniel's post re Sub's was humor. A smiley would maybe have alleviated any doubts? Please keep the knowledge flowing for us non-computer security aware folks flowing! I have Norton AV, ZoneAlarm, AdWatch monitoring, and Spybot S&D. When I open IE (run FireFox except when going for an update from Uncle Bill) SpywareGuard immediately detects CWS varient infesting one end of my computer to the other! I get the update and clean most of it out with AdAware and SpyBot S&D, but they can't get it all /ubbthreads/images/graemlins/frown.gif . I have nothing on this box that I would worry about falling into enemy hands. Same for my emails/PM's etc. I can only hope that a "secure" purchase online is!
Edit: as to shredding a HDD, I have a bunch of magnets that will hold a 1" pad to my frig door, not to mention a large oxy-acetylene rig. /ubbthreads/images/graemlins/grin.gif

Larry
 
Top