Subject: Re: securely erasing a hard disk
To: Philip Jensen <philiprjensen@gmail.com>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 10/20/2005 22:23:47
On Fri, Oct 21, 2005 at 03:03:46PM +1300, Philip Jensen wrote:
> On 10/21/05, Thor Lancelot Simon <tls@rek.tjls.com> wrote:
> > On Fri, Oct 21, 2005 at 01:35:24PM +1300, Philip Jensen wrote:
> > >
> > > If so, then does the -P switch for the NetBSD rm command really
> > > provide the "security" of data erasure people think they are getting?
> > > Or should the man page have an addition of "If you are serious about
> > > removing all traces of this file then ......."?
> >
> > Did you read the entire manual page?  The -P option is the subject of
> > extensive text in the BUGS section
> 
> BUGS
>      The -P option assumes that the underlying file system is a fixed-block
>      file system.  UFS is a fixed-block file system, LFS is not.  In addition,
>      only regular files are overwritten, other types of files are not.

Before complaining that NetBSD should or shouldn't do X, you might try
looking at the latest sources -- or even the latest, or next-to-latest,
official release -- to check whether it _already_ does what you want.

I enclose the relevant part of the manual page from NetBSD 2.0.  Is it
in some way insufficient?  I did mistakenly refer you to the COMPATIBILITY
section before -- in addition to the discussion of this issue in BUGS, it
is also discussed not in COMPATIBILITY but rather in STANDARDS.

|BUGS
|    The -P option assumes that the underlying file system is a fixed-block
|    file system.  FFS is a fixed-block file system, LFS is not.  In addition,
|    only regular files are overwritten, other types of files are not.  Recent
|    research indicates that as many as 35 overwrite passes with carefully
|    chosen data patterns may be necessary to actually prevent recovery of
|    data from a magnetic disk.  Thus the -P option is likely both insuffi-
|    cient for its design purpose and far too costly for default operation.
|    However, it will at least prevent the recovery of data from FFS volumes
|    with fsdb(8).
|
|
|STANDARDS
|    The rm utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compati-
|    ble.  The -v option is an extension.
|
|    The -P option attempts to conform to U.S. DoD 5220-22.M, "National Indus-
|    trial Security Program Operating Manual" ("NISPOM") as updated by Change
|    2 and the July 23, 2003 "Clearing & Sanitization Matrix".  However,
|    unlike earlier revisions of NISPOM, the 2003 matrix imposes requirements
|    which make it clear that the standard does not and can not apply to the
|    erasure of individual files, in particular requirements relating to spare
|    sector management for an entire magnetic disk.  Because these
|    requirements are not met, the -P option does not conform to the standard.