Your Erasures are Not Secure
For more commentary, please visit WendyMcElroy.com
A reader who recently attended a high-level security seminar along with a number of US government infosec employees has given me permission to post his description of the event...
Bona fides: The instructor spent 9 years sitting in the back seat of a USN spy plane. Most of the students (all but one or two of 22) were either current or recent past US government high level IT employees. One was a current DHS systems guy. Another was recent ex-NSA infosec. Several more were chief network security admins for Pentagon and the like.
Here is the scoop. We were discussing secure erasure of magnetic media, and a comment was made about recovering data using electron microscopy (to read remnant magnetic patterns in layers beneath current data) after a 7-pass overwrite (DOD standard for secure erasure - the presumed state of the art for wiping data.). I stated my belief that such a procedure had to be prohibitively expensive and that, absent becoming a"person of interest" to the NSA, should probably not be of concern. My statement went unchallenged by the instructor, but the ex-NSA guy was looking directly at me, with a friendly smirk, and shaking his head"no". On the next bathroom break, I asked him if he was implying that the procedure had become economical. He replied in the affirmative, and added that he was aware of a single DHS laboratory with five electron microscopes in 24x7 use for this purpose, and that other labs undoubtedly exist.
So now we know what happens to a TSA-confiscated laptop, and probably to many that are listed by the owners as as"missing or stolen in airport". The following day, class disucssion topic was techniques for limiting employee access to web pages at work. The DHS systems guy stated that the method currently under discussion would not work for him"because we have five sections that do nothing but look at libraries". Remember the incident a couple of years ago where the two DHS goons announced to patrons in the Maryland public libnrary that they were there to stop them from looking at porn, etc? The disclosure may have been unintended by TPTB, but evidently the attitude truly reflects DHS philosophy. Time and concerns about self-identifying as an anti-government person kept me from making further inquiries, but that certainly does not sound encouraging.
Going forward, the assumptions must be that no information that is not very securely and correctly encrypted is even remotely safe, Big Brother is watching everything that we do at the public library (in person or on-line), and the only way to securely erase data from magnetic media is to melt or completely incinerate it and scatter the ashes.