The following text is copyright 2005 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

Family jewels to go

 

By Scott Bradner

 

I went to a talk by Simson Garfinkel, a Harvard postdoc research fellow and an Instructor at the Harvard Extension School, the other day.  The talk was about using "patterns" to understand complex problems and ensuring that the solutions to the problems actually matched the problems.  The talk used the real-world problem of residual data left on recycled disks to show how the concept of patterns could be used.

 

Garfinkel's talk (http://www.simson.net/ref/2005/patterns-crcs.pdf) was quite scary for a security geek like me.  I had been generally aware that far too many disks that government agencies, enterprises and individuals sell or trade-in when upgrading their systems still contained valuable information but I did not know the extent of the problem.

 

For one part of his PHD thesis (http://www.simson.net/thesis/) Garfinkel bought over 230 used disk drives off of eBay and from other sellers of recycled disk drives.  He then ran some disk analysis tools that he had developed on these drives to see if he could find anything useful.  He did.  In chapter 3 of his thesis he details what he found and it included thousands of credit card numbers, detailed financial and medical records, corporate trade secrets and other highly personal information.  He found that the problem was not one that was confined to a few disks, in fact he found residual information on a majority of the used drives.  He also referred to a number of news accounts of other such data found by others from ex-Beatle Paul McCartney's banking details to pharmacy records for thousands of patients who filled their prescriptions at a Arizona supermarket.  Yup, the problem is real - now the question is 'have you or your company contributed to this problem?'

 

It would seem to be a no-brainer to at least erase disks that might contain confidential information.  So why is the problem so widespread? 

 

Garfinkel contacted as many of the owners of the drives that had data on them that he could and discovered two different reasons that so many drives still had data on them.  First, some people just did not think of the issue when they disposed of the drives - a problem Garfinkel calls the "education problem." Second, many applications lie when they tell the user that their data is being removed - Garfinkel calls this the "usability problem."

 

The education problem can be addressed by teaching users that residual data can be a big problem, or by companies developing and mandating computer system decommissioning organizations or processes that take the guesswork out of disk recycling.

 

The usability problem is harder because it is generally not possible to be sure that an application is actually removing data from a disk when you delete a file or reformat the disk without knowing more about the application than most users can find out.  For example, the common Microsoft utilities for both these functions actually just free up disk space without over writing the unused disk space to ensure the data is actually erased. There are devices and software tools that do the right thing and should be used. Note that US law requires actual data erasure when credit report data is involved. (http://www.sec.gov/rules/final/34-50781.htm)

 

Don't be a data spreader - actually erase data before you sell that drive or take out the frustrations of the job with a hammer.

 

disclaimer:  Job frustrations?  At Harvard?? Say not so, anyway the above seminar report is my own.