Tuesday, November 30, 2010

Proper Hardware Disposal

In one of my classes last week, we discussed the proper way to get rid of old computer hardware, to avoid privacy issues.

I've gotten rid of old computers, but I generally either keep the hard drives (to destroy) or use software to do a thorough wipe of the drive's data When I say "thorough wipe", I am not talking about deleting files, because data can easily be recovered from a hard drive, EVEN AFTER YOU DELETE IT. Really. As a matter of fact, Microsoft's pre-Windows operating system, DOS, used to include an undelete tool which could recover deleted files easily.

eBay is one place people can purchase used hard drives, and they even provide information on why you need to thoroughly wipe a hard drive before you sell it. You can see that the site shows that social security numbers, credit card numbers, and all sorts of stuff can be found on these hard drives. This means your identity can be stolen even if you do nothing wrong, if a company you have purchased from does not follow good procedures for hard drive disposal. Aside from eBay, there are sites like Craigslist where people get rid of old hardware, and there are always garage sales. In the corporate environment, many colleges and companies pay companies to dispose of old hardware (such as eRevival locally). If you go with a cut-rate company, you may find that though they promise to clean hard drives, they may not do so thoroughly. Any of these are ways that data can be leaked if the hard drives are not wiped.

One way you can provide a level of security is to physically destroy the hard drive, though someone could pick it out of the trash and recover something. The best way is to do a full wipe of the hard drive, or what we used to call a "zeroize" at the company I used to work for. We were putting defense systems in military crafts, and one of the requirements was that the pilot needed to have a button to wipe all the data in the system, to prevent classified data from falling in to the enemy's hands. (Yes, that information is public.)

The Department of Defense has pretty high standards for data wiping, and there are a number of tools that meet their standards. The problem is most of these tools cost money. The one that I recommend is a free tool called Darik's Boot and Nuke (available for download at www.dban.org). Despite the informal name, it is a legitimate program (referenced by CNN and the BBC). There are commercial tools that do this sort of thing as well, but the major difference is not function, it is speed (DBAN has a reputation for being slow - the BBC article says it took two hours for an 80GB drive). DBAN is cool because it gives you a CD to boot off of, and you select the depth of the wipe you want. The more depth you want, the longer it will take to run. If you are going to do this, I would recommend choosing the most in-depth wipe, doing it before you go to bed (as a home user) or before you leave work in the evening (at work), and just letting it run overnight. That way, there is no time wasted waiting for wipe to be completed. In a professional environment, having a DBAN CD around is not a bad thing, especially so your company does not end up in violation with the standards that govern your industry (Sarbanes-Oxley, HIPAA, FACTA, etc.).

A larger company may want to invest in faster, packaged software for this, or a hard drive sanitizer (such as this one - though I am certain their claim of 7 minutes per drive is for the simple wipe and not the seven-pass version).

Any of these options are better than the ol' sledgehammer method, because who wants to clean up that mess?


Anny said...

This is useful information for people trading in laptops when upgrading - like at Staples.

Javier said...

Best solution, fire them up!!! Set on fire im talking about.