Thanks to OG for passing this along. The bashing of the Rolling Stone article is appropriate, but I take exception to the characterization that
Back to CERT, which is one of the most trusted of information disseminating entities in the world of IT.
No, they're not. CERT is a US government agency, and as is the case with all government agencies within the USA, they value obedience over brains. Here's what they tell you to do to destroy data on a disk:
Some people use extreme measures to make sure their information is destroyed, but these measures can be dangerous and may not be completely successful. Your best option is to investigate software programs and hardware devices that claim to erase your hard drive, CD, or DVD. Even so, these programs and devices have varying levels of effectiveness. When choosing a software program to perform this task, look for the following characteristics:
- "Secure Erase" is performed - Secure Erase is a standard in modern hard drives. If you select a program that runs the Secure Erase command, it will erase data by overwriting all areas of the hard drive, even areas that are not being used.
- data is written multiple times - It is important to make sure that not only is the information erased, but new data is written over it. By adding multiple layers of data, the program makes it difficult for an attacker to "peel away" the new layer. Three to seven passes is fairly standard and should be sufficient.
- random data is used - Using random data instead of easily identifiable patterns makes it harder for attackers to determine the pattern and discover the original information underneath.
- zeros are used in the final layer - Regardless of how many times the program overwrites the data, look for programs that use all zeros in the last layer. This adds an additional level of security.
The only problem with their advice is that data are still recoverable. When I want to kill data on a hard drive, I use a couple of neodymium magnets, which I believe are now illegal in the USA. They scramble the bits, making the drive unreadable even by forensics companies. Another effective approach involves judicious use of a power drill, which also renders the drive useless.
"Three to seven" overwriting passes? Those people are nuts.
Ever heard of MITRE Corporation? Conveniently located in McLean, Virginia. Guess who's running the show.
It hasn't been the Russians.
