The Beginners' Guide to Hacker-Powered Security » Free Download from HackerOne!
Welcome Guest | Sign In

LinuxInsider Talkback

ECT News Community   »   LinuxInsider Talkback   »   Re: Securing Your Linux System Bit by Bit

Re: Securing Your Linux System Bit by Bit
Posted by jafcobend on 2018-01-10 18:52:46
In reply to Jonathan Terrasi
I beg to differ with the nay-sayers. Overwriting every addressable byte on your disk with '0' will definitely add a significant barrier to anyone trying to recover that data.

Can some magnetic residue of the original data be remaining on the disk? Maybe. But the cost of the equipment and expertise to recover it is going to steep. Maybe if your of interest to a well funded spy or criminal organization will you have a real concern.

Flash is a little different story. Flash cells should erase cleaner. But there is the reserve sectors and the question of whether they are rotated through with the usual wear leveling algorithms. But this can be addressed with multiple passes. I would probably use 0 (/dev/zero) on the first pass and then 0xff on the second and repeat the cycle again. If the spare sectors are part of the wear leveling cycle 4x the storage capacity will be more than enough to hit them. I leave off with the 0xff because that leaves the flash in the native "erased" state, ready for writing new data.

I don't know of a readily available source of 0xff bytes but the code to generate them with a compiled language is stupid simple. I wrote such a tool a long time back, which I still use. I would use a compiled language because we are talking about generating a *LOT* of bytes and interpreted languages will take much longer.

Some things to consider:

'dd' writes to the kernel's cache, like most programs. So you need to make sure the cache gets flushed to the device. Using the "sync" command as root can do that or shutdown/reboot will force the flush.

You can pipe any source of data into dd if you want to use a different erase pattern. Just use the standard pipe (|) arrangement. You could also use /dev/random or /dev/urandom to write random data. The first is probably completely useless as it would take a very long time for your system to generate the random data. The latter is faster because the random data is of lesser quality. It will still take a long time.

I would contend with the authors remark that this procedure is CPU bound. Although his formula is not as efficient as it could be its mostly an I/O bound operation. On a decent SATA or SCSI system I have routinely kept a drive saturated with I/O, this way, while not observing a noticeable impact on the rest of the system. The main thing you have to do is tell dd to use a larger buffer with the "bs", block size, option. I use 1M and it seems to provide real good throughput... and yes it will write a partial block if needed.

So something like:

dd if=/dev/zero of=/dev/sda bs=1M

And, yes, a tool like "shred" will do a more thorough job at trying to prevent someone scrounging magnetic residue.

 * Topic  Author  Date
Re: Securing Your Linux System Bit by Bit  Jonathan Terrasi  2017-06-13 15:07:17
Re: Securing Your Linux System Bit by Bit  jafcobend  2018-01-10 18:52:46
Re: Securing Your Linux System Bit by Bit  nicodemus  2017-06-21 09:32:17
Re: Securing Your Linux System Bit by Bit  2SquidsFor1Penny  2017-06-14 14:47:07
Re: Securing Your Linux System Bit by Bit  2SquidsFor1Penny  2017-06-15 12:08:54
Re: Securing Your Linux System Bit by Bit  2SquidsFor1Penny  2017-06-15 08:32:09
Re: Securing Your Linux System Bit by Bit  2SquidsFor1Penny  2017-06-14 21:57:27
Re: Securing Your Linux System Bit by Bit  larryecrisp  2017-06-14 05:19:22
Jump to:
Your Name: [modify]
* Subject: [edit]
Choose Icon:

Submissions containing gratuitous promotions or advertisements
will not be posted. [Message Board and Community Rules]

* Comments:

Notify me by e-mail when someone responds to my post.

Facebook Twitter LinkedIn Google+ RSS
Does it matter to you if products you purchase are manufactured in another country?
Yes, and I will pay more for a domestically produced product.
Yes, but my shopping decisions won't change anything, so I do what's best for me.
I care, but it's impossible to keep track of where everything is made.
I want the best quality and price, regardless of country of origin.
It depends on the country. Some are OK, some aren't.
It depends on the company. I'll buy from a reputable non-domestic brand.
salesforce commerce cloud