Trash, Delete, Shred

Michael S. Mikowski z_mikowski at yahoo.com
Thu Jul 3 13:41:02 BST 2003 

On Wednesday 02 July 2003 14:49, Keunwoo Lee wrote:
> On Sat, 28 Jun 2003, Michael S. Mikowski wrote:
> > On Saturday 28 June 2003 17:58, Dawit A. wrote:
> >
> > <snip>
> >
> > > Not everybody does this and the idea of shreding in the real world is
> > > completely different than that of the digital one. See the current
> > > debate about the existing "Shred" feature in konqueror.  Sherding can
> > > be done with some degree of reliability in the real world whereas such
> > > action cannot be guaranteed for magnetic storage medium.  The only
> > > reliable way to completely destroy information from a hard drive is to
> > > dismantle it and burn the platters IIRC.
> >
> > </snip>
> >
> > Yes, that's true from what I understand.  But security is always a
> > matter of degrees.  Physical shredding isn't fool proof either -- I
> > remember old pictures of shredded documents the KGB painstakingly
> > reconstructed from CIA trash.  The point, however, is to make it more
> > expensive to recover the data.  Does electronic shredding do this?
>
> It depends on the filesystem, and many other variables.  See man shred(1).
> This is a paper people often cite:
>
> http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
>
> Google also turns up this recent response, which mostly confirms the
> paper's findings:
>
> http://www.doxpara.com/read.php/security/secure_deletion.html
>
> With the introduction of ext3 and other journaling filesystems, I believe
> that filesystems like ext2 (where shred had at least a fighting chance of
> working properly) are going to see less and less use.  The result
> eventually will be that most users are working on filesystems that don't
> support shredding, but the menu option will be there anyway.  Of course,
> one could put off removing the menu option until that day arrives.
>
> OTOH you are correct that security is a matter of degrees.  It's widely
> known the government can factor 1024-bit RSA keys in seconds or minutes
> (Google "Lucky Green 1024 bit RSA").  This doesn't stop us from using
> 1024-bit RSA keys, because they are sufficient to stop a casual, or even
> motivated but not well-financed, attacker.
>
> Recovery of data from magnetic media through physical means is not
> something your average hacker can cook up in a basement---it requires
> access to special equipment and techniques that are not publicly
> available.  OnTrack, for example, charges at least many hundreds of
> dollars to recover a hard disk.  On the "right" configurations, shred does
> increase the cost of recovery by several orders of magnitude (running a
> software utility vs. obtaining the physical disk and sending it to a
> recovery service), making it an effective security measure.
>
> However, the user will usually *not* know whether (s)he has the "right"
> configuration to make shred work.
>
> ~k

Thanks, Keunwoo!  This is very informative.  I took a look at the documents 
but didn't see a reference to journaled file systems [jfs].  Perhaps you can 
give me some pointers, if you have a minute.

My impression is that "shredding" means overwriting the entire file contents 
*on the physical disk* with random bits perhaps 3-4 times.  From what you 
have written it appears that shredding value is impossible on jfs.  My 
limited understanding of jfs is that old data remains on the disk until new 
data is committed.  Is the trouble that it is impossible to physically 
overwrite the "old" data?

If I understand this correctly -- and there is no guarantee of that :) -- then 
a jfs would need to provide a shred function to ensure the "old" data gets 
scrubbed.  In other words, it needs to circumvent its typical operation and 
work more directly on the physical medium.  Is this correct?

Do you know if any jfs does or will support a "shred" capability?

> The result
> eventually will be that most users are working on filesystems that don't
> support shredding, but the menu option will be there anyway.  Of course,
> one could put off removing the menu option until that day arrives.

It would be good if the option were grayed-out if shredding wouldn't work... 

Cheers,

Mike

More information about the kfm-devel mailing list