Re: Data Erasure Products

[Mark Jacobs]

Tom Moulder wrote:
> If you have EMC DASD, then you can contact them for information about three
> erasures offerings.  The offerings are from low to high in terms of data
> erasure certification and government clearances.  The highest certification
> level is an internal program that insures all data is erased and can not be
> retrieved.  Be prepared also to spend some time achieving the highest level
> of certification.  Hopefully the frame has been disconnected from the
> mainframe when you finally do this and so there is no impact on production
> work.
>
> Tom Moulder 
>
>
>   
Our requirement is more for the end of our Disaster Recovery tests. We
know that we can contract with them to perform the erasure but I am in
the information gathering phase of the project now.

-- 
Mark Jacobs
Time Customer Service
Tampa, FL


Riley: Find the next number in the sequence: 313, 331, 367, ...? what?

The Doctor: 379. It's a sequence of happy primes, 379.

Martha: Happy what?

The Doctor: Just enter it!

Riley: Are you sure? We only get one chance.

The Doctor: Any number that reduces to one when you take the sum of 
the square of its digits and continue iterating until it yields 1 is 
a happy number, any number that doesn't, isn't. A happy prime is 
both happy and prime. 

Doctor Who episode "42"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Larry Crilley]

Add the XTINCT product from Dino-Software to your information gathering.  We
began advertising this tool in last months z-journal.

 
Larry Crilley
Dino-Software Corporation
800.480.DINO
412.366.3566
www.dino-software.com
 
Dino-Software Utilities
T-REX - Superior catalog management tool inclusive of HSM & Tape audits 
REORGadon - First REORG While-OPEN tool for HSM
Teradon - First ever OnLine REPRO MERGECAT utility 
Xtinct - DASD Data purge 
RTD - DASD Real Time Defrag 
DAL - Analysis for Legato in an easy to view format

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of Mark Jacobs
Sent: Friday, January 11, 2008 12:29 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Data Erasure Products

Outside of FDRERASE and good old ICKDSF are there any products in the
market that can erase data from mainframe DASD?

I didn't see anything in the CBT archive for DASD, just some tape
erasure programs.
* *

-- 
Mark Jacobs
Time Customer Service
Tampa, FL


Riley: Find the next number in the sequence: 313, 331, 367, ...? what?

The Doctor: 379. It's a sequence of happy primes, 379.

Martha: Happy what?

The Doctor: Just enter it!

Riley: Are you sure? We only get one chance.

The Doctor: Any number that reduces to one when you take the sum of 
the square of its digits and continue iterating until it yields 1 is 
a happy number, any number that doesn't, isn't. A happy prime is 
both happy and prime. 

Doctor Who episode "42"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Mark Jacobs]

Larry Crilley wrote:
> Add the XTINCT product from Dino-Software to your information gathering.  We
> began advertising this tool in last months z-journal.
>
>  
> Larry Crilley
> Dino-Software Corporation
> 800.480.DINO
> 412.366.3566
> www.dino-software.com
>  
> Dino-Software Utilities
> T-REX - Superior catalog management tool inclusive of HSM & Tape audits 
> REORGadon - First REORG While-OPEN tool for HSM
> Teradon - First ever OnLine REPRO MERGECAT utility 
> Xtinct - DASD Data purge 
> RTD - DASD Real Time Defrag 
> DAL - Analysis for Legato in an easy to view format
>
>   

I don't see the product on your web page. Can you give me a URL for me
to look at?

-- 
Mark Jacobs
Time Customer Service
Tampa, FL


Riley: Find the next number in the sequence: 313, 331, 367, ...? what?

The Doctor: 379. It's a sequence of happy primes, 379.

Martha: Happy what?

The Doctor: Just enter it!

Riley: Are you sure? We only get one chance.

The Doctor: Any number that reduces to one when you take the sum of 
the square of its digits and continue iterating until it yields 1 is 
a happy number, any number that doesn't, isn't. A happy prime is 
both happy and prime. 

Doctor Who episode "42"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Richbourg, Claude]

Yes,

It is listed under 'Sand Alone Edit' which we have.
A blip follows:

1 - Fast DASD Erase 

Fast DASD Erase may be licensed separately by users interested in
erasing data at the end of their Disaster Recovery tests or when
decommissioning DASD. 

Erasing test data at the end of a Disaster Recovery test may be one of
the most important steps of the test itself. SAE users enjoy peace of
mind knowing they have completely erased all mission-critical and
personal data, thereby safeguarding it from unwanted use. This is
especially important in an era of government regulations, such as HIPAA,
GLBA, PIPEDA, etc. Users also appreciate the reduction in time and money
saved during the actual erasure. 
 
HTH further.

Regards,
Claude Richbourg

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Mark Jacobs
Sent: Friday, January 11, 2008 12:45 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Data Erasure Products

Richbourg, Claude wrote:
> There is another one that we have used.
> It is by NEWERA software and it is, 'DASD FAST ERASE'. It works good
as
> you can do as many passes over the data with different patterns as
> needed.
> HTH.
>
> Regards,
> Claude Richbourg
>
>
>   
I just went on their website and the only products I see there are Image
Focus and Stand Alone Edit. Is the product you mentioned still being
marketed by NewEra?

-- 
Mark Jacobs
Time Customer Service
Tampa, FL


Riley: Find the next number in the sequence: 313, 331, 367, ...? what?

The Doctor: 379. It's a sequence of happy primes, 379.

Martha: Happy what?

The Doctor: Just enter it!

Riley: Are you sure? We only get one chance.

The Doctor: Any number that reduces to one when you take the sum of 
the square of its digits and continue iterating until it yields 1 is 
a happy number, any number that doesn't, isn't. A happy prime is 
both happy and prime. 

Doctor Who episode "42"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Mark Jacobs]

Richbourg, Claude wrote:
> There is another one that we have used.
> It is by NEWERA software and it is, 'DASD FAST ERASE'. It works good as
> you can do as many passes over the data with different patterns as
> needed.
> HTH.
>
> Regards,
> Claude Richbourg
>
>
>   
I just went on their website and the only products I see there are Image
Focus and Stand Alone Edit. Is the product you mentioned still being
marketed by NewEra?

-- 
Mark Jacobs
Time Customer Service
Tampa, FL


Riley: Find the next number in the sequence: 313, 331, 367, ...? what?

The Doctor: 379. It's a sequence of happy primes, 379.

Martha: Happy what?

The Doctor: Just enter it!

Riley: Are you sure? We only get one chance.

The Doctor: Any number that reduces to one when you take the sum of 
the square of its digits and continue iterating until it yields 1 is 
a happy number, any number that doesn't, isn't. A happy prime is 
both happy and prime. 

Doctor Who episode "42"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Tom Moulder]

If you have EMC DASD, then you can contact them for information about three
erasures offerings.  The offerings are from low to high in terms of data
erasure certification and government clearances.  The highest certification
level is an internal program that insures all data is erased and can not be
retrieved.  Be prepared also to spend some time achieving the highest level
of certification.  Hopefully the frame has been disconnected from the
mainframe when you finally do this and so there is no impact on production
work.

Tom Moulder 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of Mark Jacobs
Sent: Friday, January 11, 2008 11:29 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Data Erasure Products

Outside of FDRERASE and good old ICKDSF are there any products in the
market that can erase data from mainframe DASD?

I didn't see anything in the CBT archive for DASD, just some tape
erasure programs.
* *

-- 
Mark Jacobs
Time Customer Service
Tampa, FL


Riley: Find the next number in the sequence: 313, 331, 367, ...? what?

The Doctor: 379. It's a sequence of happy primes, 379.

Martha: Happy what?

The Doctor: Just enter it!

Riley: Are you sure? We only get one chance.

The Doctor: Any number that reduces to one when you take the sum of 
the square of its digits and continue iterating until it yields 1 is 
a happy number, any number that doesn't, isn't. A happy prime is 
both happy and prime. 

Doctor Who episode "42"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



-- 
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.1 - Release Date: 1/11/2008 12:00
AM


No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.1 - Release Date: 1/11/2008 12:00
AM
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.1 - Release Date: 1/11/2008 12:00
AM
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Richbourg, Claude]

There is another one that we have used.
It is by NEWERA software and it is, 'DASD FAST ERASE'. It works good as
you can do as many passes over the data with different patterns as
needed.
HTH.

Regards,
Claude Richbourg

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Mark Jacobs
Sent: Friday, January 11, 2008 12:29 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Data Erasure Products

Outside of FDRERASE and good old ICKDSF are there any products in the
market that can erase data from mainframe DASD?

I didn't see anything in the CBT archive for DASD, just some tape
erasure programs.
* *

-- 
Mark Jacobs
Time Customer Service
Tampa, FL


Riley: Find the next number in the sequence: 313, 331, 367, ...? what?

The Doctor: 379. It's a sequence of happy primes, 379.

Martha: Happy what?

The Doctor: Just enter it!

Riley: Are you sure? We only get one chance.

The Doctor: Any number that reduces to one when you take the sum of 
the square of its digits and continue iterating until it yields 1 is 
a happy number, any number that doesn't, isn't. A happy prime is 
both happy and prime. 

Doctor Who episode "42"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Gabe Torres]

 
The added benefit of NewERA's product is its other 'DR' capabilities.
You can IPL the software and make changes to datasets in and ISPF-Like
editor. (Display, edit, copy, print..etc), without an Operating System
running.  Much like a Standalone zOS one-pack system.  It does NOT
replace our DR/Recovery processes, but it enhances them.  

gabe 


  

-
Subject: Re: Data Erasure Products

There is another one that we have used.
It is by NEWERA software and it is, 'DASD FAST ERASE'. It works good as
you can do as many passes over the data with different patterns as
needed.
HTH.

Regards,
Claude Richbourg


Outside of FDRERASE and good old ICKDSF are there any products in the
market that can erase data from mainframe DASD?

I didn't see anything in the CBT archive for DASD, just some tape
erasure programs.
* *

--
Mark Jacobs

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Jan 11, 2008, at 11:29 AM, Mark Jacobs wrote:


Outside of FDRERASE and good old ICKDSF are there any products in the
market that can erase data from mainframe DASD?

I didn't see anything in the CBT archive for DASD, just some tape
erasure programs.
* *

--  
Mark Jacobs

Time Customer Service
Tampa, FL



Mark,

FDRERASE is from a reputable company and IIRC it reasonably cheap. I  
looked at it a while ago and I thought it was a good buy. Plus the  
Innovation  people stand behind their software, thats important when  
you are talking about security.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Rick Fochtman]

---

FDRERASE is from a reputable company and IIRC it reasonably cheap. I  
looked at it a while ago and I thought it was a good buy. Plus the  
Innovation  people stand behind their software, thats important when  
you are talking about security.


-
Although Ed and I seldom agree, here's one issue where I MUST agree. We 
used it at Clearing, for DR test cleanup and hardwa4e replacement 
cleanup. It's good, it's fast and it's cheap. Go for it.


Rick

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ron Hawkins]

Mark,

If you are using HDS then the same facility is called "data shredding".

It provides secure erasure of a volume at the physical disk. A small
advantage of the Storage Controller based solutions is that you can erase
the drives after your Drill system is down, and you can do all your non z/OS
LUNs and volumes at the same time.

Ron

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of Tom Moulder
> Sent: Friday, January 11, 2008 9:49 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: [IBM-MAIN] Data Erasure Products
> 
> If you have EMC DASD, then you can contact them for information about
> three
> erasures offerings.  The offerings are from low to high in terms of
> data
> erasure certification and government clearances.  The highest
> certification
> level is an internal program that insures all data is erased and can
> not be
> retrieved.  Be prepared also to spend some time achieving the highest
> level
> of certification.  Hopefully the frame has been disconnected from the
> mainframe when you finally do this and so there is no impact on
> production
> work.
> 
> Tom Moulder
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[R.S.]

Mark Jacobs wrote:

Outside of FDRERASE and good old ICKDSF are there any products in the
market that can erase data from mainframe DASD?


If you want more or less certified method, you need to buy something. 
Degausser is "most certified", but it destroys your disks. 


If you need reasonable quick, cheap and effective method, I would you 
DASD reconfiguration facilities. Usually that means CE intervention.


My $0.02

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci 
opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 
r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 
z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Stephen Mednick]

> 
> Outside of FDRERASE and good old ICKDSF are there any 
> products in the market that can erase data from mainframe DASD?
> 
> I didn't see anything in the CBT archive for DASD, just some 
> tape erasure programs.
> * *
> 
> --
> Mark Jacobs
> Time Customer Service
> Tampa, FL
> 
> 

There are any number of solutions both hardware & software that lay claim to
being DOD compliant for the purposes of erasing data from mainframe DASD but 
very
few that can make the claim that they have been independently certified by a
government sponsored agency as meeting the compliance requirements.
 
Before selecting any of the solutions put forward, one needs to check with their
IT Security Advisor and/or Auditors to see what their expections are, that is,
whether a compliant solution is good enough or whether it has to be certifed as 
a
compliant solution. A list of certified compliant solutions can be found at the
following site listed under the heading "Technology Type" as "Sensitive Data
Protection":
 
http://niap-ccevs.org/cc-scheme/vpl/
 
Furthermore, the question needs to be asked whether or not the requirement is 
for
"clearing"/"overwriting" the disk or the more stringent requirement of
"purging"/sanitizing" the disk. These definitions are described the documents:
 
NCSC-TG-025 A Guide to Understanding Data Remanence in Automated Information
Systems
DoD 5220.22-M National Industrial Security Program Operation Manual
 
"clearing"/"overwriting" requirements are usually ok for the OP's requirement
when leaving a DR site but the "purging"/"sanitizing" requirement may be a
mandatory requirement when decommission obsolete storage subsystems.
 
There are a number of Government & Industrial guidelines that dictate what are
the requirements. These include HIPPA, Sarbane-Oxley, Gramm-Leach-Billey as well
as the PCIDSS requirement for organisations who are involved with the issue and
processing of credit card payment etc. 
 
At the end of the day, the decision as to what product to use may not be that of
the humble storage management technician but a decision that is dictated by the
requirements  of the corporate IT Security Advisor and/or Auditor. It may well 
be
worth your job tenure to go and check!


Stephen Mednick
Computer Supervisory Services
Sydney, Australia

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Van Dalsen, Herbie]

My question on this topic is the following...
If you are replacing your shark with a new one, once the data is
migrated, would it not be possible to go to the ESS console and delete
all your disk, and reformat them for opens stems, and create 100's of
1.2m disks, leaving the ESS format software to effectively kill all
usable data... You can then walk away while this processes all by it's
own, no baby-sitting needed, and if your neurosis have not died down
after that, reverse the process... Surely this happens at HW level and
should be more successful that other software driven efforts?

Herbie


-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Stephen Mednick
Sent: 12 Januarie 2008 10:07 nm
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Data Erasure Products

> 
> Outside of FDRERASE and good old ICKDSF are there any 
> products in the market that can erase data from mainframe DASD?
> 
> I didn't see anything in the CBT archive for DASD, just some 
> tape erasure programs.
> * *
> 
> --
> Mark Jacobs
> Time Customer Service
> Tampa, FL
> 
> 

There are any number of solutions both hardware & software that lay
claim to
being DOD compliant for the purposes of erasing data from mainframe DASD
but very
few that can make the claim that they have been independently certified
by a
government sponsored agency as meeting the compliance requirements.
 
Before selecting any of the solutions put forward, one needs to check
with their
IT Security Advisor and/or Auditors to see what their expections are,
that is,
whether a compliant solution is good enough or whether it has to be
certifed as a
compliant solution. A list of certified compliant solutions can be found
at the
following site listed under the heading "Technology Type" as "Sensitive
Data
Protection":
 
http://niap-ccevs.org/cc-scheme/vpl/
 
Furthermore, the question needs to be asked whether or not the
requirement is for
"clearing"/"overwriting" the disk or the more stringent requirement of
"purging"/sanitizing" the disk. These definitions are described the
documents:
 
NCSC-TG-025 A Guide to Understanding Data Remanence in Automated
Information
Systems
DoD 5220.22-M National Industrial Security Program Operation Manual
 
"clearing"/"overwriting" requirements are usually ok for the OP's
requirement
when leaving a DR site but the "purging"/"sanitizing" requirement may be
a
mandatory requirement when decommission obsolete storage subsystems.
 
There are a number of Government & Industrial guidelines that dictate
what are
the requirements. These include HIPPA, Sarbane-Oxley, Gramm-Leach-Billey
as well
as the PCIDSS requirement for organisations who are involved with the
issue and
processing of credit card payment etc. 
 
At the end of the day, the decision as to what product to use may not be
that of
the humble storage management technician but a decision that is dictated
by the
requirements  of the corporate IT Security Advisor and/or Auditor. It
may well be
worth your job tenure to go and check!


Stephen Mednick
Computer Supervisory Services
Sydney, Australia

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Elavon Financial Services Limited
Registered in Ireland: Number 418442
Registered Office: Block E, 1st Floor, Cherrywood Business Park, Loughlinstown, 
Co. Dublin, Ireland
Directors: Robert Abele (USA), John Collins,  Terrance Dolan (USA),  Pamela 
Joseph (USA), Declan Lynch, John McNally, Malcolm Towlson
Elavon Financial Services Limited, trading as Elavon, is regulated by the 
Financial Regulator

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ron Hawkins]

Herbie,

A format as you describe will leave the data old data unreadable, and that
will probably suffice in most cases. However it is not actually shredded,
and the prior contents of the drives can be recovered in the best James Bond
tradition - art becomes life.

If your company requires secure erasure, then the drives need to be
overwritten several times with patterns that will mask the prior contents.
The FDRERASE software does this by waiting for each pass to settle to disk
before writing the next pass, so that overwrites do not occur in cache. It
works exactly as advertised.

Ron

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of Van Dalsen, Herbie
> Sent: Monday, January 14, 2008 3:05 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: [IBM-MAIN] Data Erasure Products
> 
> My question on this topic is the following...
> If you are replacing your shark with a new one, once the data is
> migrated, would it not be possible to go to the ESS console and delete
> all your disk, and reformat them for opens stems, and create 100's of
> 1.2m disks, leaving the ESS format software to effectively kill all
> usable data... You can then walk away while this processes all by it's
> own, no baby-sitting needed, and if your neurosis have not died down
> after that, reverse the process... Surely this happens at HW level and
> should be more successful that other software driven efforts?
> 
> Herbie
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of Stephen Mednick
> Sent: 12 Januarie 2008 10:07 nm
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: Data Erasure Products
> 
> >
> > Outside of FDRERASE and good old ICKDSF are there any
> > products in the market that can erase data from mainframe DASD?
> >
> > I didn't see anything in the CBT archive for DASD, just some
> > tape erasure programs.
> > * *
> >
> > --
> > Mark Jacobs
> > Time Customer Service
> > Tampa, FL
> > 
> >
> 
> There are any number of solutions both hardware & software that lay
> claim to
> being DOD compliant for the purposes of erasing data from mainframe
> DASD
> but very
> few that can make the claim that they have been independently certified
> by a
> government sponsored agency as meeting the compliance requirements.
> 
> Before selecting any of the solutions put forward, one needs to check
> with their
> IT Security Advisor and/or Auditors to see what their expections are,
> that is,
> whether a compliant solution is good enough or whether it has to be
> certifed as a
> compliant solution. A list of certified compliant solutions can be
> found
> at the
> following site listed under the heading "Technology Type" as "Sensitive
> Data
> Protection":
> 
> http://niap-ccevs.org/cc-scheme/vpl/
> 
> Furthermore, the question needs to be asked whether or not the
> requirement is for
> "clearing"/"overwriting" the disk or the more stringent requirement of
> "purging"/sanitizing" the disk. These definitions are described the
> documents:
> 
> NCSC-TG-025 A Guide to Understanding Data Remanence in Automated
> Information
> Systems
> DoD 5220.22-M National Industrial Security Program Operation Manual
> 
> "clearing"/"overwriting" requirements are usually ok for the OP's
> requirement
> when leaving a DR site but the "purging"/"sanitizing" requirement may
> be
> a
> mandatory requirement when decommission obsolete storage subsystems.
> 
> There are a number of Government & Industrial guidelines that dictate
> what are
> the requirements. These include HIPPA, Sarbane-Oxley, Gramm-Leach-
> Billey
> as well
> as the PCIDSS requirement for organisations who are involved with the
> issue and
> processing of credit card payment etc.
> 
> At the end of the day, the decision as to what product to use may not
> be
> that of
> the humble storage management technician but a decision that is
> dictated
> by the
> requirements  of the corporate IT Security Advisor and/or Auditor. It
> may well be
> worth your job tenure to go and check!
> 
> 
> Stephen Mednick
> Computer Supervisory Services
> Sydney, Australia
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
> Elavon Financial Services Limited
> Registered in Ireland: Num

Re: Data Erasure Products

[Warner Mach]

>Mark Jacobs wrote:
>If you want more or less certified method, you need to buy something. 
>Degausser is "most certified", but it destroys your disks. 

Somewhat tangential to the issue of mainframe drives, it is interesting 
that, for ATA PC drives, there is another alternative. See:
http://blogs.zdnet.com/storage/?p=129&tag=nl.e540
In this article, written by Robin Harris of ZDNet, there is detailed a 
little-known fact about ATA drives. Most of these drives (since 2001) 
have a built-in facility to completely erase the drive, called 
'Secure Erase.' In most cases this facility has been disabled (by BIOS) 
... The article outlines how to take advantage of 'Secure Erase.'

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Van Dalsen, Herbie]

Thanks Ron,

I was hoping that the formatting of the ESS could do that for me. Not
sure what's going to happen to the 3590 carts... But then that is
another story altogether... 

Herbie


-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Ron Hawkins
Sent: 14 Januarie 2008 03:20 nm
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Data Erasure Products

Herbie,

A format as you describe will leave the data old data unreadable, and
that
will probably suffice in most cases. However it is not actually
shredded,
and the prior contents of the drives can be recovered in the best James
Bond
tradition - art becomes life.

If your company requires secure erasure, then the drives need to be
overwritten several times with patterns that will mask the prior
contents.
The FDRERASE software does this by waiting for each pass to settle to
disk
before writing the next pass, so that overwrites do not occur in cache.
It
works exactly as advertised.

Ron

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of Van Dalsen, Herbie
> Sent: Monday, January 14, 2008 3:05 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: [IBM-MAIN] Data Erasure Products
> 
> My question on this topic is the following...
> If you are replacing your shark with a new one, once the data is
> migrated, would it not be possible to go to the ESS console and delete
> all your disk, and reformat them for opens stems, and create 100's of
> 1.2m disks, leaving the ESS format software to effectively kill all
> usable data... You can then walk away while this processes all by it's
> own, no baby-sitting needed, and if your neurosis have not died down
> after that, reverse the process... Surely this happens at HW level and
> should be more successful that other software driven efforts?
> 
> Herbie
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of Stephen Mednick
> Sent: 12 Januarie 2008 10:07 nm
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: Data Erasure Products
> 
> >
> > Outside of FDRERASE and good old ICKDSF are there any
> > products in the market that can erase data from mainframe DASD?
> >
> > I didn't see anything in the CBT archive for DASD, just some
> > tape erasure programs.
> > * *
> >
> > --
> > Mark Jacobs
> > Time Customer Service
> > Tampa, FL
> > 
> >
> 
> There are any number of solutions both hardware & software that lay
> claim to
> being DOD compliant for the purposes of erasing data from mainframe
> DASD
> but very
> few that can make the claim that they have been independently
certified
> by a
> government sponsored agency as meeting the compliance requirements.
> 
> Before selecting any of the solutions put forward, one needs to check
> with their
> IT Security Advisor and/or Auditors to see what their expections are,
> that is,
> whether a compliant solution is good enough or whether it has to be
> certifed as a
> compliant solution. A list of certified compliant solutions can be
> found
> at the
> following site listed under the heading "Technology Type" as
"Sensitive
> Data
> Protection":
> 
> http://niap-ccevs.org/cc-scheme/vpl/
> 
> Furthermore, the question needs to be asked whether or not the
> requirement is for
> "clearing"/"overwriting" the disk or the more stringent requirement of
> "purging"/sanitizing" the disk. These definitions are described the
> documents:
> 
> NCSC-TG-025 A Guide to Understanding Data Remanence in Automated
> Information
> Systems
> DoD 5220.22-M National Industrial Security Program Operation
Manual
> 
> "clearing"/"overwriting" requirements are usually ok for the OP's
> requirement
> when leaving a DR site but the "purging"/"sanitizing" requirement may
> be
> a
> mandatory requirement when decommission obsolete storage subsystems.
> 
> There are a number of Government & Industrial guidelines that dictate
> what are
> the requirements. These include HIPPA, Sarbane-Oxley, Gramm-Leach-
> Billey
> as well
> as the PCIDSS requirement for organisations who are involved with the
> issue and
> processing of credit card payment etc.
> 
> At the end of the day, the decision as to what product to use may not
> be
> that of
> the humble storage management technician but a decision that is
> dictated
> by the
> requirements  of the corporate IT Security Advisor and/or Auditor. It
> may well be
> worth your job tenure to go and check!
> 
> 
> Stephen Mednick
> Computer S

Re: Data Erasure Products

[Ron Hawkins]

Van,

That's why HDS (and I hear now EMC) provide a shredder in the hardware. You
can shred volumes unattended after a drill, or you can "shred" a LUN or
volume that was previously assigned to Human Resources or Credit Card
application before assigning that LUN or Array Group to a development
system.

Ron

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of Van Dalsen, Herbie
> Sent: Monday, January 14, 2008 9:10 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: [IBM-MAIN] Data Erasure Products
> 
> Thanks Ron,
> 
> I was hoping that the formatting of the ESS could do that for me. Not
> sure what's going to happen to the 3590 carts... But then that is
> another story altogether...
> 
> Herbie
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of Ron Hawkins
> Sent: 14 Januarie 2008 03:20 nm
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: Data Erasure Products
> 
> Herbie,
> 
> A format as you describe will leave the data old data unreadable, and
> that
> will probably suffice in most cases. However it is not actually
> shredded,
> and the prior contents of the drives can be recovered in the best James
> Bond
> tradition - art becomes life.
> 
> If your company requires secure erasure, then the drives need to be
> overwritten several times with patterns that will mask the prior
> contents.
> The FDRERASE software does this by waiting for each pass to settle to
> disk
> before writing the next pass, so that overwrites do not occur in cache.
> It
> works exactly as advertised.
> 
> Ron
> 
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> > Behalf Of Van Dalsen, Herbie
> > Sent: Monday, January 14, 2008 3:05 AM
> > To: IBM-MAIN@BAMA.UA.EDU
> > Subject: Re: [IBM-MAIN] Data Erasure Products
> >
> > My question on this topic is the following...
> > If you are replacing your shark with a new one, once the data is
> > migrated, would it not be possible to go to the ESS console and
> delete
> > all your disk, and reformat them for opens stems, and create 100's of
> > 1.2m disks, leaving the ESS format software to effectively kill all
> > usable data... You can then walk away while this processes all by
> it's
> > own, no baby-sitting needed, and if your neurosis have not died down
> > after that, reverse the process... Surely this happens at HW level
> and
> > should be more successful that other software driven efforts?
> >
> > Herbie
> >
> >
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> > Behalf Of Stephen Mednick
> > Sent: 12 Januarie 2008 10:07 nm
> > To: IBM-MAIN@BAMA.UA.EDU
> > Subject: Re: Data Erasure Products
> >
> > >
> > > Outside of FDRERASE and good old ICKDSF are there any
> > > products in the market that can erase data from mainframe DASD?
> > >
> > > I didn't see anything in the CBT archive for DASD, just some
> > > tape erasure programs.
> > > * *
> > >
> > > --
> > > Mark Jacobs
> > > Time Customer Service
> > > Tampa, FL
> > > 
> > >
> >
> > There are any number of solutions both hardware & software that lay
> > claim to
> > being DOD compliant for the purposes of erasing data from mainframe
> > DASD
> > but very
> > few that can make the claim that they have been independently
> certified
> > by a
> > government sponsored agency as meeting the compliance requirements.
> >
> > Before selecting any of the solutions put forward, one needs to check
> > with their
> > IT Security Advisor and/or Auditors to see what their expections are,
> > that is,
> > whether a compliant solution is good enough or whether it has to be
> > certifed as a
> > compliant solution. A list of certified compliant solutions can be
> > found
> > at the
> > following site listed under the heading "Technology Type" as
> "Sensitive
> > Data
> > Protection":
> >
> > http://niap-ccevs.org/cc-scheme/vpl/
> >
> > Furthermore, the question needs to be asked whether or not the
> > requirement is for
> > "clearing"/"overwriting" the disk or the more stringent requirement
> of
> > "purging"/sanitizing" the disk. These definitions are described the
> > documents:
> >
> > NCSC-TG-025 A Guide to Understandi

Re: Data Erasure Products

[Mike Baldwin]

On Mon, 14 Jan 2008 17:10:06 -, Van Dalsen, Herbie 
<[EMAIL PROTECTED]> wrote:

>Not sure what's going to happen to the 3590 carts... 

Some examples of what can be done, depending on requirements:
- If re-deploying 3590's, the Data Security Erase command can be used.  This 
is available from a CBT program (I believe), or our TelTape for z/OS or TelTape 
for Windows products.
- Also if re-deploying, 3590's can be systematically overwritten.  Our Windows 
product also "certifies" so you will know which cartridges are error-free and 
which fail, as well as having the data overwrittten.
- Otherwise, Secure Media Destruction services can be contracted.  This 
involves an optional step of degaussing the 3590's on-site, followed by 
transportation to a destruction facility.  Our partner uses a Waste-To-Energy 
process that minimizes environmental impact.  The on-site degaussing step is 
performed more frequently these days.

Regards,
Mike Baldwin
Cartagena Software Ltd.
www.cartagena.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[SUBSCRIBE IBM-MAIN Niall]

How about encrypting the volume in its entirety before deletion?

I've been through the DR/deletion exercise a few times, and used an in-house
utility to overwrite the disk. If available, however, would encryption not
be a possible solution in that even if a shadow of the data were left, it
should at least be in a format that is not readable?

I ask because some sites may already have invested in an encryption tool,
and it might be an imaginative use of an existing asset.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ron Hawkins]

Why not have the applications encrypt sensitive data before they write it.
Seems to me that this is the logical place to protect data. DASD shredding
would become an academic argument...

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of SUBSCRIBE IBM-MAIN Niall
> Sent: Thursday, January 31, 2008 1:48 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: [IBM-MAIN] Data Erasure Products
> 
> How about encrypting the volume in its entirety before deletion?
> 
> I've been through the DR/deletion exercise a few times, and used an in-
> house
> utility to overwrite the disk. If available, however, would encryption
> not
> be a possible solution in that even if a shadow of the data were left,
> it
> should at least be in a format that is not readable?
> 
> I ask because some sites may already have invested in an encryption
> tool,
> and it might be an imaginative use of an existing asset.
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Jan 31, 2008, at 3:48 AM, SUBSCRIBE IBM-MAIN Niall wrote:


How about encrypting the volume in its entirety before deletion?

I've been through the DR/deletion exercise a few times, and used an  
in-house
utility to overwrite the disk. If available, however, would  
encryption not
be a possible solution in that even if a shadow of the data were  
left, it

should at least be in a format that is not readable?

I ask because some sites may already have invested in an encryption  
tool,

and it might be an imaginative use of an existing asset.

I vaguely remember a story here I cannot remember where I heard it  
(it may be an urban legend).
*SUPPOSEDLY* the CIA (NSA??) was able to read a disk even after data  
has been written on it, even after 10 or 11 times.


I have heard this but where? I do *NOT* know if this is true or not.

Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Pat Mihalec]

I have used FDR Erase. It is easy to install and use. We last used it 
after a DR test.
Not too expensive.

Pat Mihalec
Rush University Medical Center
Senior System Programmer
(312) 942-8386
[EMAIL PROTECTED]

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[George Fogg]

> On Jan 31, 2008, at 3:48 AM, SUBSCRIBE IBM-MAIN Niall wrote:
>
>> How about encrypting the volume in its entirety before deletion?
>>
>> I've been through the DR/deletion exercise a few times, and used an
>> in-house
>> utility to overwrite the disk. If available, however, would
>> encryption not
>> be a possible solution in that even if a shadow of the data were
>> left, it
>> should at least be in a format that is not readable?
>>
>> I ask because some sites may already have invested in an encryption
>> tool,
>> and it might be an imaginative use of an existing asset.
>>
> I vaguely remember a story here I cannot remember where I heard it
> (it may be an urban legend).
> *SUPPOSEDLY* the CIA (NSA??) was able to read a disk even after data
> has been written on it, even after 10 or 11 times.
>
> I have heard this but where? I do *NOT* know if this is true or not.
>
> Ed
I have worked at several top secret installations in the past and I was told
that they take the old DASD and drop them in a acid bath then cut them up.
Never saw it happened so not totally sure it was done or not.
George Fogg

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Stephen Mednick]

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:[EMAIL PROTECTED] On Behalf Of Pat Mihalec
> Sent: Friday, 1 February 2008 7:04 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: Data Erasure Products
> 
> I have used FDR Erase. It is easy to install and use. We last 
> used it after a DR test.
> Not too expensive.
> 
> Pat Mihalec
> Rush University Medical Center
> Senior System Programmer
> (312) 942-8386
> [EMAIL PROTECTED]
> 

Just to let people know, Innovation Data Processing's FDRERASE/OPEN has just now
acquired formal CCEVS accreditation with a conformance claim of EAL2 Augmented
with ALC_FLR.2 .

The details of the validation can be viewed at the following link:

http://niap-ccevs.org/cc-scheme/st/index.cfm/vid/10232

For those who are interested, the CCEVS accreditation details for the existing
FDRERASE for z/OS can be viewed at the following link:

http://niap-ccevs.org/cc-scheme/st/index.cfm/vid/10064

Stephen Mednick
Computer Supervisory Services
Sydney, Australia

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Gary Green]

My uncle did design work on satellites and all his top secret work took
place in a vault.  When it came time to replace/erase his personal disk
drives, all of them were physically crushed into a cube as I recall.


-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of George Fogg
Sent: Thursday, January 31, 2008 3:29 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Data Erasure Products

> On Jan 31, 2008, at 3:48 AM, SUBSCRIBE IBM-MAIN Niall wrote:
>
>> How about encrypting the volume in its entirety before deletion?
>>
>> I've been through the DR/deletion exercise a few times, and used an 
>> in-house utility to overwrite the disk. If available, however, would 
>> encryption not be a possible solution in that even if a shadow of the 
>> data were left, it should at least be in a format that is not 
>> readable?
>>
>> I ask because some sites may already have invested in an encryption 
>> tool, and it might be an imaginative use of an existing asset.
>>
> I vaguely remember a story here I cannot remember where I heard it (it 
> may be an urban legend).
> *SUPPOSEDLY* the CIA (NSA??) was able to read a disk even after data 
> has been written on it, even after 10 or 11 times.
>
> I have heard this but where? I do *NOT* know if this is true or not.
>
> Ed
I have worked at several top secret installations in the past and I was told
that they take the old DASD and drop them in a acid bath then cut them up.
Never saw it happened so not totally sure it was done or not.
George Fogg

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Stephen Mednick]

 

> -Original Message-
> > Ed
> I have worked at several top secret installations in the past 
> and I was told that they take the old DASD and drop them in a 
> acid bath then cut them up.
> Never saw it happened so not totally sure it was done or not.
> George Fogg
> 

Physical destruction of DASD such as that described by George is probably the
"purest" form of data destruction. However, if my understanding of the various
compliance requirements is correct, it would need to be witnessed by someone 
from
the owning organisation in order to provide formal verification.

The downside of physically destroying the media as against using a certified
erase solution to remove the contents is that the obsolete storage media can
never be acquired on a lease-basis given that the box is not going to be able to
be returned intact when the lease would have expired. For storage subsystems 
that
have been purchased, there's no way that any residual value that the box might
contain can be realised.

Using a secure storage santisation or overwriting methodology, once the data has
been removed, it's then possible to put out requests to second hand equipment
dealers to submit an offer to acquire the box and remove it and at least get 
some
dollars back.

Stephen Mednick
Computer Supervisory Services
Sydney, Australia

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ted MacNEIL]

>Unless there is some weird legislative standard which says that encryption is 
>fine for transmission of data over open IP networks, but is not fine for 
resundant data held on permanent storage. 

I'm interpreting this from a Canadian perspective, but after working for a 
company headquartered in the US, I don't believe there are any legislative 
standards.

SOX, et al, say you have to protect your data.
They don't say how, since they are not IT professionals.

It's up to your:
SME's
Compliance officers
And, auditors -- external and internal.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[SUBSCRIBE IBM-MAIN Niall]

I've heard from my Amdahl days that the decommissioned machines had to be 
destroyed rather than returned for their parts value - and that the destruction 
was pretty definitive.

But none of these anecdotes answer my question: would you feel happy after, 
for instance, a DR test, to know that the DASD you used contained only 
encrypted data and that the VTOC's had been overwritten? More importantly, 
would this ensure compliance with the standards required?

I ask because ther seems to be a couple of contradictory issues involved: in 
some jurisdictions a standard of encryption is considered to be a requirement 
when sending data offsite, be it over the wires or in some other portable 
format. In other words, the authorities accept that once it has been 
encrypted and adeqaute care is taken over key exchange, then you have 
fulfilled the requiremnts to protect your data. Yet deleted data seems to 
require another standard - or does it?

In the same vein, if you are decommisioning DASD, or removing yourself from a 
hot-site, would encrypting your data be adequate both to satisy compliancy 
requirements and to make you feel comfortable yourelves? I assume the re-init 
at the least of the volumes afterwards, of course. Even the entries of a VTOC 
could be valuable.

I'd be interested to se what the Innovation Data Processing people would 
have to say on this as they provide both encryption and erase products. One 
of them - short of huge performance factors which wouldn't really be an issue 
when decommisioning DASD- would appear to be redundant.

Unless there is some weird legislative standard which says that encryption is 
fine for transmission of data over open IP networks, but is not fine for 
resundant data held on permanent storage. 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Stephen Mednick]

 

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:[EMAIL PROTECTED] On Behalf Of SUBSCRIBE IBM-MAIN Niall
> Sent: Friday, 1 February 2008 10:16 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: Data Erasure Products
> 
< SNIP >
> But none of these anecdotes answer my question: would you 
> feel happy after, for instance, a DR test, to know that the 
> DASD you used contained only encrypted data and that the 
> VTOC's had been overwritten? More importantly, would this 
> ensure compliance with the standards required?
> 
> I ask because ther seems to be a couple of contradictory 
> issues involved: in some jurisdictions a standard of 
> encryption is considered to be a requirement when sending 
> data offsite, be it over the wires or in some other portable 
> format. In other words, the authorities accept that once it 
> has been encrypted and adeqaute care is taken over key 
> exchange, then you have fulfilled the requiremnts to protect 
> your data. Yet deleted data seems to require another standard 
> - or does it?
> 
> In the same vein, if you are decommisioning DASD, or removing 
> yourself from a hot-site, would encrypting your data be 
> adequate both to satisy compliancy requirements and to make 
> you feel comfortable yourelves? I assume the re-init at the 
> least of the volumes afterwards, of course. Even the entries 
> of a VTOC could be valuable.
> 
< SNIP >

Your idea would appear to have some merit but I am not aware of any facility to
be able to encrypt data in-place (I may be wrong) and from my knowledge, it's
usually the case that the data is to be read through an encryption facility,
apply an encryption key and then write out the encrypted data.

Therefore, I can't see how you could conceivably encrypt existing data in-place.
If using a software encryption tool, there is usually a high price to pay in
terms of CPU cycles to undertake the encryption process and to try and encrypt 
an
entire volume could prove fairly costly, time-wise at the completion of a DR
exercise. 

Compare the time to encrypt in the manner you are suggesting to a software
product that is quoted as being able to erase 3 Terrabytes of data in less than 
2
hours.

By the way, the folks on this list would probably appreciate it if you could 
sign
your posts.

Stephen Mednick
Marketing & Support Manager
Computer Supervisory Services
Tel: +61 (2) 9665 1104
Fax: +61 (2) 9665 7382

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[SUBSCRIBE IBM-MAIN Niall]

There are several data protection standards applying over here in Europe, but 
I would guess that I could at least  defend myself to SOX auditors if I chose 
to use encryption in the scenarios I described. Alas, your mileage may vary in 
all of these things.  

My interest in the subject is at the theoretical one, which would hold that an 
adequate standard of encryption should allow you to leave data wherever it 
lies and not to worry about it so long as the finder doesn't have the key.

Thanks for the replies!

Niall

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Jan 31, 2008, at 2:29 PM, George Fogg wrote:


I have worked at several top secret installations in the past and I  
was told
that they take the old DASD and drop them in a acid bath then cut  
them up.

Never saw it happened so not totally sure it was done or not.
George Fogg




George,

Well it would put an end to any thought of recovery that is for sure.  
Of course there was a TV episode about an acid bath  and they did  
figure out the persons identity after it but that is TV for you.
I wish I had a chance to ask an (now) ex-IBMer about this as it is an  
interesting issue. I am sure that security means different things to  
different people/companies.
I would think the government has some sort of guidelines in this area  
as to how erase the data. What gets interesting on the "new" type of  
DASD is that the platters are not used for "permanent" DASD to me it  
is like a virtual dasd volume (much like the 3850). The security  
"erasure" would be a lot different in those types of equipment as  
data is never actually deleted just pointers are "evaporated". I  
would hope the manufacturer would have a really good erase program  
(procedure).



Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Jan 31, 2008, at 3:31 PM, Stephen Mednick wrote:


--SNIP
The downside of physically destroying the media as against using a  
certified
erase solution to remove the contents is that the obsolete storage  
media can
never be acquired on a lease-basis given that the box is not going  
to be able to
be returned intact when the lease would have expired. For storage  
subsystems that
have been purchased, there's no way that any residual value that  
the box might

contain can be realised.

Using a secure storage santisation or overwriting methodology, once  
the data has
been removed, it's then possible to put out requests to second hand  
equipment
dealers to submit an offer to acquire the box and remove it and at  
least get some

dollars back.



Stephan:

It comes down purely (IMO) how valuable the data is. If its nuclear  
bomb data (or the like) then I would suggest that cost is not an issue.
If its secure type data (ie HIPAA(sp?) or payroll or bank files) it  
is different . Each one probably has its own requirements. I am not a  
lawyer (and don't profess to be one). I would suggest that if there  
is any question get a lawyer to sign off on it or/in addition to the  
government agency that has jurisdiction in the area.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Jan 31, 2008, at 5:15 PM, SUBSCRIBE IBM-MAIN Niall wrote:

---SNIP---
Unless there is some weird legislative standard which says that  
encryption is
fine for transmission of data over open IP networks, but is not  
fine for

resundant data held on permanent storage.


OK.. but what encryption? and how many bytes of key are mandatory? 1  
byte, 64 bytes or ?
I do not pretend to know the answer, but for me if its really secure  
it doesn't go over an IP network I don't care how many bytes are in  
the encryption key.
The IP (INTERNET) network was never meant to be a secure way of  
transferring data. *MAYBE* if its a private one and there are  
appropriate safe guards but *NOT* the Internet.


I heard of a place in Switzerland that used a new kind of encryption  
that is anybody even copied(looked) at the data the the receiver was  
notified and the data was effectively vaporized. I believe the Swiss  
believe in security and when they go to this extreme just to transmit  
vote type data you can believe its secure.


Ed






--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Stephen Mednick]

> Stephan:
> 
> It comes down purely (IMO) how valuable the data is. If its 
> nuclear bomb data (or the like) then I would suggest that 
> cost is not an issue.

Ed,

it's not a case of how valuable the data is, more importantly it's to do with
what the security classification is that has been assigned to the data. 
Depending
on the data's security classification dictates the media 
overwriting/sanitisation
method that is it be deployed in accordance with government requirements.

You'll find that these days most organisations are required to have a designated
IT Security Advisor whose job it is to keep abreast of compliance regulations 
and
requirements and ensure that they are being applied across the organisation and
that corporate governance is being properly maintained. For heaven's sake, lets
not bring the lawyers into this!!!

I think this thread is developing the symptoms of drifting OT so let's try and
hold it here.

Stephen Mednick
Computer Supervisory Services
Sydney, Australia

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Anne & Lynn Wheeler]

[EMAIL PROTECTED] (Stephen Mednick) writes:
> it's not a case of how valuable the data is, more importantly it's to
> do with what the security classification is that has been assigned to
> the data. Depending on the data's security classification dictates the
> media overwriting/sanitisation method that is it be deployed in
> accordance with government requirements.

security classification is simplification ... like role-based access
qcontrol is simplification for permissions. ... recent post on dealing
with permissions
http://www.garlic.com/~lynn/2008b.html#26 folklore indeed

the issue normally reduces to what is the threat model? security
classification tends to be associated with threat model where divulging
the information is not desirable ... and classification level attempts
to make the measures to prevent information divulging proportional to
the damange that might happen if the information is divulged (and/or the
effort that an attacker will go to in order to get the data). For
magnetic media this might be something like overwritting a specific
number of times with (different) random data ... nist standard:
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

An example of how this gets simplified is example of consumer financial
information stored at a merchant. The "damage" gets translated into
security proportional to risk ... and the risk is what is the value of
the information to the merchant ... old post on the subject:
http://www.garlic.com/~lynn/2001h.html#61 Security Proportional To Risk

The problem is that the real threat model and therefor risk, is that the
value of the information to the consumer (and to any attacking crook) is
possibly one hundred times larger than the value of the information to
the merchant. The merchant is required to keep transaction logs (and the
associated account numbers) for some period as part of mandated business
processes.

The information value (to the merchant) is some part of the merchant's
profit margin on the transaction ... for hypothetical example for some
number of product transactions, this could be $10,000. The value of the
information to the crook, is related to the credit limits associated
with the individual accounts. This could conceivable be $10,000,000
(totally unrelated to the value of the information to the merchant,
i.e. some portion of the profit on the purchased products). Since the
value to the crook can be 100 to 1000 times larger, the attacking crooks
can afford to outspend the defending merchants by possibly one hundred
times.

in the mid-90s, the x9a10 financial standard working group had been
given the requirement to preserve the integrity of the financial
infrastructure for all retail payments. Part of this was looking in
detail at end-to-end vulnerabilities and threat models ...  as part of
coming up with x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959

part of the x9.59 financial standard was eliminating the usefulness of
the account transaction log information (at merchants) to attacking
crooks  i.e. it didn't involve trying to prevent attacking crooks
from getting at the information ... it just made the information useless
to crooks for performing fraudulent financial transactions.

A different example was we also got involved in co-authoring the
financial industry x9.99 privacy standard. As part of that we had to
look at both GLBA and HIPAA (financial transactions can used for medical
procedures which may be listed).

One of the issues in HIPAA is that there is a real requirement to make
some amount of medical procedure information available. At a result,
HIPAA allows for information to be available if it can't be associated
with an individual (aka "deidentified").

deidentified
 Under the HIPAA Privacy Rule, data are deidentified if either (1) an
 experienced expert determines that the risk that certain information
 could be used to identify an individual is 'very small' and documents
 and justifies the determination, or (2) the data do not include any of
 the following eighteen identifiers

... snip ...

As part of working on x9.99, we put together a privacy merged taxonomy
and glossary ... see:
http://www.garlic.com/~lynn/privacy.htm

for other details see notes at
http://www.garlic.com/~lynn/index.html#glosnote

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Anne & Lynn Wheeler]

The following message is a courtesy copy of an article
that has been posted to bit.listserv.ibm-main as well.

[EMAIL PROTECTED] (Anne & Lynn Wheeler) writes:
> the issue normally reduces to what is the threat model? security
> classification tends to be associated with threat model where divulging
> the information is not desirable ... and classification level attempts
> to make the measures to prevent information divulging proportional to
> the damange that might happen if the information is divulged (and/or the
> effort that an attacker will go to in order to get the data). For
> magnetic media this might be something like overwritting a specific
> number of times with (different) random data ... nist standard:
> http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

re:
http://www.garlic.com/~lynn/2008c.html#47 Data Erasure Products 

oh, and note recent article:

'Erased' personal data on agency tapes can be retrieved, company says
http://www.govexec.com/dailyfed/0108/012308j2.htm

from above:

Personal and sensitive government data -- including employees' personal
data -- on magnetic tapes that federal agencies erase and later sell can
be retrieved using simple technology, according to an investigation
conducted by a storage tape manufacturer.

... snip ...

the above article references a GAO report/study:

According to its September 2007 report (GAO-07-1233R), GAO concluded it
could not find "any comprehensible data on any of the tapes using
standard commercially available equipment and data recovery techniques,
specialized diagnostic equipment, custom programming or forensic
analysis."

... snip ...

i.e. gao report
http://www.gao.gov/new.items/d071233r.pdf

old article from last sept:

Government sale of used magnetic tape storage not a big security risk, GAO 
reports
http://www.networkworld.com/community/node/19807

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Mike Baldwin]

On Thu, 31 Jan 2008 14:01:10 -0600, Ed Gould 
<[EMAIL PROTECTED]> wrote:

>I vaguely remember a story here I cannot remember where I heard it
>(it may be an urban legend).
>*SUPPOSEDLY* the CIA (NSA??) was able to read a disk even after data
>has been written on it, even after 10 or 11 times.

Hi Ed,

I thought it interesting that you mentioned 11 times.

In a customer security standard document (that I cannot quote), that refers 
to U.S. DoD standards, when overwriting at least 12 times is recommended.  
One might infer that 11 times is considered insufficient.  It doesn't give the 
reason.

Regards,
Mike Baldwin
Cartagena Software Ltd.
www.cartagena.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Diehl, Gary (MVSSupport)]

Ed,

I've been told the same thing.  I worked SBLC for the AF, and we were
told that data could be recovered after up to 7 rewrites, and the
methodology was based on signal strength analysis.  I.E. You read the
sector of a hard disk umpteen millions of times and get enough samples
of it to determine what was written there last time, overwritten once,
overwritten twice, etc, based on the signal degradation created by
overwrite.

Our destruction procedures were based on these assumptions.  We had to
do massive overwrites and then physically take apart, scratch, and then
bend old HDAs (3375/3380 drives) before they could go to DRMO for metal
recycling.  And the "new fangled" PC hard drives were degaussed, and
then melted in an incinerator for good measure.

I don't know how true the "recovery after x overwrites" is either, but
this is what we were trained on, and the paranoid procedures we
followed.

I'd be interested to see what methodology is used to ensure the data is
really gone from IBM hard drives today, particularly with these massive
RAIDs we all seem to use!

Gary Diehl
MVS Support
"The glass is neither half full or half empty; the engineer who designed
the glass simply allowed for a 100% increase in fluid storage."
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Ed Gould
Sent: Thursday, January 31, 2008 2:01 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Data Erasure Products

On Jan 31, 2008, at 3:48 AM, SUBSCRIBE IBM-MAIN Niall wrote:

> How about encrypting the volume in its entirety before deletion?
>
> I've been through the DR/deletion exercise a few times, and used an  
> in-house
> utility to overwrite the disk. If available, however, would  
> encryption not
> be a possible solution in that even if a shadow of the data were  
> left, it
> should at least be in a format that is not readable?
>
> I ask because some sites may already have invested in an encryption  
> tool,
> and it might be an imaginative use of an existing asset.
>
I vaguely remember a story here I cannot remember where I heard it  
(it may be an urban legend).
*SUPPOSEDLY* the CIA (NSA??) was able to read a disk even after data  
has been written on it, even after 10 or 11 times.

I have heard this but where? I do *NOT* know if this is true or not.

Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Howard Brazee]

On 4 Feb 2008 10:15:04 -0800, [EMAIL PROTECTED] (Mike Baldwin) wrote:

>>*SUPPOSEDLY* the CIA (NSA??) was able to read a disk even after data
>>has been written on it, even after 10 or 11 times.
>
>Hi Ed,
>
>I thought it interesting that you mentioned 11 times.
>
>In a customer security standard document (that I cannot quote), that refers 
>to U.S. DoD standards, when overwriting at least 12 times is recommended.  
>One might infer that 11 times is considered insufficient.  It doesn't give the 
>reason.

I suspect that for this kind of security, overkill is standard.   If
5-6 times seems iffy, be safe and double this value.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Feb 4, 2008, at 9:56 AM, Diehl, Gary (MVSSupport) wrote:


Ed,

I've been told the same thing.  I worked SBLC for the AF, and we were
told that data could be recovered after up to 7 rewrites, and the
methodology was based on signal strength analysis.  I.E. You read the
sector of a hard disk umpteen millions of times and get enough samples
of it to determine what was written there last time, overwritten once,
overwritten twice, etc, based on the signal degradation created by
overwrite.

Our destruction procedures were based on these assumptions.  We had to
do massive overwrites and then physically take apart, scratch, and  
then
bend old HDAs (3375/3380 drives) before they could go to DRMO for  
metal

recycling.  And the "new fangled" PC hard drives were degaussed, and
then melted in an incinerator for good measure.

I don't know how true the "recovery after x overwrites" is either, but
this is what we were trained on, and the paranoid procedures we
followed.

I'd be interested to see what methodology is used to ensure the  
data is
really gone from IBM hard drives today, particularly with these  
massive

RAIDs we all seem to use!

Gary Diehl
MVS Support



Gary,

A While ago someone on here indicated that the units you talk about  
have some sort of built-in facility to just do that (erase the  
data).  I have no access  to any documentation either. One could  
argue just deleting the pointers should be good enough. I am a little  
skeptical about this seeing as how the PC world doesn't  to be really  
interested in this issue. I have a feeling that the only good method  
is to take the platters out and break them up or toss them in acid  
and for safe measure a degausser.


I know the military is decent at doing decommissioning of drives. If  
anything they are probably a little overkill which is fine with me.  
Personally if they really wanted it GONE they should send it in a  
rocket to the sun and let it vaporized already erased data. If  
somehow agents were to land on the sun and intercept the rockets I  
think they deserve to get it.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Feb 4, 2008, at 12:14 PM, Mike Baldwin wrote:

--SNIP---
Hi Ed,

I thought it interesting that you mentioned 11 times.

In a customer security standard document (that I cannot quote),  
that refers
to U.S. DoD standards, when overwriting at least 12 times is  
recommended.
One might infer that 11 times is considered insufficient.  It  
doesn't give the

reason.

SNIP


Mike,

Well thank goodness I wasn't to off base. It could have just as  
easily been 12 . I am glad that someone confirmed what I had heard/read.

Thanks.

Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Shmuel Metz (Seymour J.)]

In <[EMAIL PROTECTED]>, on 02/04/2008
   at 11:18 PM, Ed Gould <[EMAIL PROTECTED]> said:

>I am a little skeptical about this seeing as how the PC world 
>doesn't  to be really interested in this issue. 

There are several major issues that the PC world doesn't seem to be
interested in. A failure to appreciate security problems until the balloon
goes up would be par for the course.

>Personally if they really wanted it GONE they should send it in a  
>rocket to the sun and let it vaporized already erased data.

There are less expensive ways to vaporise a drive.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Feb 5, 2008, at 6:12 AM, Shmuel Metz (Seymour J.) wrote:


In <[EMAIL PROTECTED]>, on 02/04/2008
   at 11:18 PM, Ed Gould <[EMAIL PROTECTED]> said:


I am a little skeptical about this seeing as how the PC world
doesn't  to be really interested in this issue.


There are several major issues that the PC world doesn't seem to be
interested in. A failure to appreciate security problems until the  
balloon

goes up would be par for the course.


Personally if they really wanted it GONE they should send it in a
rocket to the sun and let it vaporized already erased data.


There are less expensive ways to vaporise a drive.




Shmuel:

Of course there are. But as long as there is a person left on earth  
there would be attempt(s) to devaporize (I know there is no such  
word) but if Star Trek can materialize someone and dematerialize  
someone there would be attempts to get the data back .. somehow. The  
sun (or maybe better a blackhole) is practically the only way to put  
a stop to that. I was really not serious when I said the sun but just  
as there are always been ladies of the evening there is some one  
waiting to use them. There will always be some attempt to get back a  
vaporized (anything) if its valuable enough was my point, obviously I  
did not make it well enough.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Shane]

On Wed, 2008-02-06 at 11:15 +0100, Thomas Berg wrote:

> Seriously, at some level You can be practically certain that 
> the data cannot be resurrected, NSA or not NSA. 

I always work on the basis that if the spooks (any nationality) are
*really* interested in your data, they already have it.
Well before you are thinking of destroying the physical media.

Commercial opposition may be another story.
Maybe.

Paranoid ??? ... nah, not me.

Shane ...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Shmuel Metz (Seymour J.)]

In <[EMAIL PROTECTED]>, on 02/05/2008
   at 11:53 PM, Ed Gould <[EMAIL PROTECTED]> said:

>Of course there are. But as long as there is a person left on earth  
>there would be attempt(s) to devaporize (I know there is no such word)
>but if Star Trek can materialize someone and dematerialize someone 

Star Trek is fiction.

>there would be attempts to get the data back

And no doubt there would be attempts to get the drive back from the sun.
Attempts don't bother me as long as they are doomed to fail.

>There will always be some attempt to get back a  
>vaporized (anything) if its valuable enough was my point,

Who cares about attempts to do the impossible?

>obviously I  did not make it well enough.

You made the point that someone would try well enough. What you didn't do
was to provide a reason to believe that there was the remotest chance of
success. Appeals to a TV series are not reasons to believe.

-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Feb 6, 2008, at 7:50 PM, Shmuel Metz (Seymour J.) wrote:

--SNIP
You made the point that someone would try well enough. What you  
didn't do
was to provide a reason to believe that there was the remotest  
chance of

success. Appeals to a TV series are not reasons to believe.




I believe someone on here said that the DOD said 15 writes over the  
data set was good enough. If the DOD is happy with it then I am as well.

Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[(IBM Mainframe Discussion List)]

 
 
In a message dated 2/7/2008 12:27:49 A.M. Central Standard Time,  
[EMAIL PROTECTED] writes:
>I believe someone on here said that the DOD said 15 writes over the   
data set was good enough.
 
The latest (JUN 2001) DOD specification that I read on the Internet said  six 
times is enough, but you have to write certain bit patterns.  The  German DOD 
wants seven times.
 
Bill  Fairchild
Rocket Software





**Biggest Grammy Award surprises of all time on AOL Music. 
(http://music.aol.com/grammys/pictures/never-won-a-grammy?NCID=aolcmp00300025
48)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[R.S.]

(IBM Mainframe Discussion List) wrote:
 
 
In a message dated 2/7/2008 12:27:49 A.M. Central Standard Time,  
[EMAIL PROTECTED] writes:
I believe someone on here said that the DOD said 15 writes over the   

data set was good enough.
 
The latest (JUN 2001) DOD specification that I read on the Internet said  six 
times is enough, but you have to write certain bit patterns.  The  German DOD 
wants seven times.


Gentlemen,
Don't you think, the "magic numbers" of the rewrites comes from voodoo 
(or black magic) rather than from technological reasons ?
Any disk taken (stolen) from DASD array contains part of 
gazillion-elements-puzzle. Without any overwrite. If you overwrite the 
data, the only method to (try to) find the previous content is to use 
microscope and watch magnetic domains. Try to find out what was the 
previous value. More than gazillion-element-puzzle. After that, you 
still have the previous excercise, that means set up array from 
"independent" disks.

IMHO it is much easier and cheaper to pay someone for the data.

BTW: I would like to see *technical* justification of "15-times" or any 
other number. Technical one, not "because mama said so".


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci 
opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 
r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 
z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Vernooy, C.P. - SPLXM]

"R.S." <[EMAIL PROTECTED]> wrote in message
news:<[EMAIL PROTECTED]>...
> (IBM Mainframe Discussion List) wrote:
> >  
> >  
> > In a message dated 2/7/2008 12:27:49 A.M. Central Standard Time,  
> > [EMAIL PROTECTED] writes:
> >> I believe someone on here said that the DOD said 15 writes over the

> > data set was good enough.
> >  
> > The latest (JUN 2001) DOD specification that I read on the Internet
said  six 
> > times is enough, but you have to write certain bit patterns.  The
German DOD 
> > wants seven times.
> 
> Gentlemen,
> Don't you think, the "magic numbers" of the rewrites comes from voodoo

> (or black magic) rather than from technological reasons ?
> Any disk taken (stolen) from DASD array contains part of 
> gazillion-elements-puzzle. Without any overwrite. If you overwrite the

> data, the only method to (try to) find the previous content is to use 
> microscope and watch magnetic domains. Try to find out what was the 
> previous value. More than gazillion-element-puzzle. After that, you 
> still have the previous excercise, that means set up array from 
> "independent" disks.
> IMHO it is much easier and cheaper to pay someone for the data.
> 
> BTW: I would like to see *technical* justification of "15-times" or
any 
> other number. Technical one, not "because mama said so".
> 
> -- 
> Radoslaw Skorupka

I also had my thoughts about the this theory to find back old data. We
once had an issue with overwritten tapes and asked a company specialized
in recovering data from damaged media for our options and they simply
said it was impossible to recover overwritten data.

Kees.
**
For information, services and offers, please visit our web site:
http://www.klm.com. This e-mail and any attachment may contain
confidential and privileged material intended for the addressee
only. If you are not the addressee, you are notified that no part
of the e-mail or any attachment may be disclosed, copied or
distributed, and that any other action related to this e-mail or
attachment is strictly prohibited, and may be unlawful. If you have
received this e-mail by error, please notify the sender immediately
by return e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries
and/or its employees shall not be liable for the incorrect or
incomplete transmission of this e-mail or any attachments, nor
responsible for any delay in receipt.
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal
Dutch Airlines) is registered in Amstelveen, The Netherlands, with
registered number 33014286 
**

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ed Gould]

On Feb 8, 2008, at 2:36 AM, R.S. wrote:

SNIP-
Gentlemen,
Don't you think, the "magic numbers" of the rewrites comes from  
voodoo (or black magic) rather than from technological reasons ?
Any disk taken (stolen) from DASD array contains part of gazillion- 
elements-puzzle. Without any overwrite. If you overwrite the data,  
the only method to (try to) find the previous content is to use  
microscope and watch magnetic domains. Try to find out what was the  
previous value. More than gazillion-element-puzzle. After that, you  
still have the previous excercise, that means set up array from  
"independent" disks.

IMHO it is much easier and cheaper to pay someone for the data.

BTW: I would like to see *technical* justification of "15-times" or  
any other number. Technical one, not "because mama said so".


--
Radoslaw Skorupka
Lodz, Poland




Radoslaw:

Some people (a lot) on this list are (or should be) concerned about  
data destruction. If you are one of the few that are not concerned  
now but in the future you may be asked (or involved) in such  
discussions it (IMO) is always good to have at least an idea of what  
is involved and the side issues that way you can make contributions  
to the boss (or group). It is usual (IMO) if you make good  
contribution (on the job or most places) to the issue of data  
destruction you will come out ahead of the game. Quite often in the  
US we have other departments that "worry" about such items and  
probably the departments do not have a clue about the virtual ARRAYS  
for DASD (or TAPE for that matter) and the implications for data  
destruction.  If you can walk away from here with at least a minimal  
understanding of some of the issues you can honestly say you have  
learned something new today and you (may) well be a better employee  
for it.


Ed

ps: As for the number of rewrites the DOD is probably the last word  
in data destruction. Although it would be interesting to hear if   
HIPPAA (sp?) has one as will.


pps: HIPPAA (sp?) is a US concern about medical information privacy I  
would suspect the EU has standards as well. Off the top of my head I  
do not remember if Poland is a part of the EU, it may happen in the  
future.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Shmuel Metz (Seymour J.)]

In <[EMAIL PROTECTED]>, on 02/08/2008
   at 09:36 AM, "R.S." <[EMAIL PROTECTED]> said:

>Don't you think, the "magic numbers" of the rewrites comes from voodoo 
>(or black magic) rather than from technological reasons ?

No.

>Any disk taken (stolen) from DASD array contains part of 
>gazillion-elements-puzzle. Without any overwrite. If you overwrite the 
>data,

The question in dispute is what it takes to successfully overwrite the
data. Believing that you've overwritten them isn't good enough.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Ron Hawkins]

Kees,

The potential to read overwritten data comes from the fact that the heads
never "perfectly" line up in the same place twice. A write may write over
95% of the bits in a given track leaving a shadow of old data that can be
read - with great difficulty and very slowly, but it can be read.

Secure erasure through multiple overwrite and patterns is meant to wipe out
the shadow of old data based on the precision of heads. After enough writes
over "almost" the same place the head is expected to have settled over all
the surface area it has previously written to.

Whether there is an industry scanning old disk drives, or labs full of
spooks doing this I do not know. The thing is it can be done, and erasure is
a way to prevent it or make it hard to do. The number of overwrites required
to wipe the data would depend on the precision of head technology as this is
what leaves residual magnetic images in the first place.


Ron

> > No.
> 
> Unless I missed a part of the discussion, all statements that
> overwriting once is not good enough, were based on rumours,
> assumptions,
> theoretical possibilities and negative evidence (data is suggested to
> be
> readable until proven otherwise). If my video store says a video is not
> available and another store can deliver it, does this prove that all
> video stores that say a video is not available are lying? Is there some
> report, investigation, official statement to *prove* that overwriting
> once is not good enough?
> 
> Kees.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Vernooy, C.P. - SPLXM]

", IBM Mainframe Discussion List" <[EMAIL PROTECTED]> wrote in message
news:<[EMAIL PROTECTED]>...
>  
>  
> In a message dated 2/11/2008 3:00:22 A.M. Central Standard Time,  
> [EMAIL PROTECTED] writes:
> >Unless I missed a part of the discussion, all statements  that
> overwriting once is not good enough, were based on rumours,
assumptions,
> theoretical possibilities and negative evidence (data is  suggested to
be
> readable until proven otherwise). If my video store says a  video is
not
> available and another store can deliver it, does this prove that  all
> video stores that say a video is not available are lying? Is there
some
> report, investigation, official statement to *prove* that  overwriting
> once is not good enough?
>  
> I am reminded of the epsilon-delta process that I learned in first
semester  
> college calculus.  "Good enough" for what?  You supply me with the
"for what" 
> and I'll provide you with the "good enough."  If the "for what"  is
that you 
> want to sell a data erasure product to the United States Department
of 
> Defense, then you must fulfill their minimum requirements, for which
there  might 
> theoretically be no provable basis in fact or experiment, but yet they


><

> overwritten data may be possible, since they use only part of 
> the  available area (differences in positioning od different writes) 
> and part of  the available "channel" (s/n ratio, Shannon)."
>  
> All 4 were from 
> _http://www.tomshardware.com/forum/138943-32-forensic-recovery_
(http://www.tomshardware.com/forum/138943-32-forensic-recovery) )
>  
>  
> Bill  Fairchild
> Rocket Software
> 

Thanks Bill, this was very interesting information. It still does not
provide *the* answer, but gives a little bit more solid foundation to
the picture.

Kees.
**
For information, services and offers, please visit our web site:
http://www.klm.com. This e-mail and any attachment may contain
confidential and privileged material intended for the addressee
only. If you are not the addressee, you are notified that no part
of the e-mail or any attachment may be disclosed, copied or
distributed, and that any other action related to this e-mail or
attachment is strictly prohibited, and may be unlawful. If you have
received this e-mail by error, please notify the sender immediately
by return e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries
and/or its employees shall not be liable for the incorrect or
incomplete transmission of this e-mail or any attachments, nor
responsible for any delay in receipt.
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal
Dutch Airlines) is registered in Amstelveen, The Netherlands, with
registered number 33014286 
**

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[(IBM Mainframe Discussion List)]

 
 
In a message dated 2/11/2008 3:00:22 A.M. Central Standard Time,  
[EMAIL PROTECTED] writes:
>Unless I missed a part of the discussion, all statements  that
overwriting once is not good enough, were based on rumours,  assumptions,
theoretical possibilities and negative evidence (data is  suggested to be
readable until proven otherwise). If my video store says a  video is not
available and another store can deliver it, does this prove that  all
video stores that say a video is not available are lying? Is there  some
report, investigation, official statement to *prove* that  overwriting
once is not good enough?
 
I am reminded of the epsilon-delta process that I learned in first semester  
college calculus.  "Good enough" for what?  You supply me with the  "for what" 
and I'll provide you with the "good enough."  If the "for what"  is that you 
want to sell a data erasure product to the United States Department  of 
Defense, then you must fulfill their minimum requirements, for which there  
might 
theoretically be no provable basis in fact or experiment, but yet they  
published a requirement that said disk tracks must be overwritten six times in 
a  row 
with specifically described, differing bit patterns.  If you think that  once 
is good enough, that may be ok for your needs, but you will not sell your  
erasure product to the DoD.
 
The scientific explanation for what is going on at the atomic level is that  
when you record a "one" bit on a disk track you do not really write an entity  
called a "bit" on the track.  You magnetize several billion atoms of iron  
and align them in a certain direction.  When you read this bit back, the  
electronic mechanisms are designed to detect many kinds of errors in  reading.  
One 
such error is that there is a "weak" signal (not strong  enough for the 
electronics to call it a "one" or a "zero").  What should  the electronics do 
in 
such a situation?  One answer is to re-read the  bit.  Another is to move the 
read-write mechanism/transducer laterally an  extremely small distance (called 
head shaking) and retry the read.  The  farther you move the read/write head 
away from the theoretical center of where  the disk track is supposed to be, 
the 
more likely you are to detect magnetized  alignment in some of the billions of 
atoms involved in storing a bit in the  immediately adjacent track.  Whenever 
you overwrite a bit, you remagnetize  and realign the billions of atoms.  But 
you can never realign 100 percent  of them.  There will always be a few that 
do not get realigned  properly.  The idea behind overwriting many times is 
that if you have  sensitive enough equipment, you can theoretically filter out 
the 99% of the  atoms that are correctly aligned and read only the 1% that are 
"wrong".   This may give you a clue as to what was previously written in that 
bit's  location.
 
If the value of the data is X dollars to your enterprise but 100 times X to  
your competition (or national enemy), then you need to spend a lot more than X 
 dollars to make sure that your competition cannot read that data.  The  
enemy may be willing to spend 50 times X dollars in research to build the  
world's 
most sensitive detector of magnetized atoms of iron or an extremely  powerful 
microscope.  Here is one Internet commentary on this  subject:
_http://www.nber.org/sys-admin/overwritten-data-guttman.html_ 
(http://www.nber.org/sys-admin/overwritten-data-guttman.html)He refutes the 
idea that 
overwritten data can be recovered by any method other  than with a microscope.  
I 
would suggest that he did not have a Top  Secret Compartmentalized clearance 
for this subject, and thus did not have  access to the latest and greatest 
technology used by the National Security  Agency, Central Intelligence Agency, 
and who knows what other black budget  groups of the US government.  Such 
information is not to be found in the  public domain.  They obviously know the 
answer, but they aren't  telling.  Since I don't have this kind of clearance 
either, I don't know  for a fact what these agencies can do.  But I did find 
the 
DoD's  requirement in the public domain, and they want 6 successive overwrites 
of 
each  track. That is their definition of "good enough."
 
Here is more information:
_http://www.forensicswiki.org/wiki/Recovering_Overwritten_Data_ 
(http://www.forensicswiki.org/wiki/Recovering_Overwritten_Data) 
 
Here are some comments lifted from a blog:
(1) "while it may be possible to remove data in layers and recover  
older data that was in its space before, no commercial data recovery  
company offers this service. (The german computer magazin c't 
tried to  get data recoverd that was overwritten once some time 
ago. All data-recovery  outfits they contacted said they could 
not do this.) It might be impossible  to actually do this, e.g.  
because the overwritten signal is too close  to the noise-level. 
It used to be possible with older HDD technology, that  did n

Re: Data Erasure Products

[Vernooy, C.P. - SPLXM]

"Shmuel Metz  , Seymour J." <[EMAIL PROTECTED]> wrote in
message news:<[EMAIL PROTECTED]>...
> In <[EMAIL PROTECTED]>, on 02/08/2008
>at 09:36 AM, "R.S." <[EMAIL PROTECTED]> said:
> 
> >Don't you think, the "magic numbers" of the rewrites comes from
voodoo 
> >(or black magic) rather than from technological reasons ?
> 
> No.

Unless I missed a part of the discussion, all statements that
overwriting once is not good enough, were based on rumours, assumptions,
theoretical possibilities and negative evidence (data is suggested to be
readable until proven otherwise). If my video store says a video is not
available and another store can deliver it, does this prove that all
video stores that say a video is not available are lying? Is there some
report, investigation, official statement to *prove* that overwriting
once is not good enough?

Kees.
**
For information, services and offers, please visit our web site:
http://www.klm.com. This e-mail and any attachment may contain
confidential and privileged material intended for the addressee
only. If you are not the addressee, you are notified that no part
of the e-mail or any attachment may be disclosed, copied or
distributed, and that any other action related to this e-mail or
attachment is strictly prohibited, and may be unlawful. If you have
received this e-mail by error, please notify the sender immediately
by return e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries
and/or its employees shall not be liable for the incorrect or
incomplete transmission of this e-mail or any attachments, nor
responsible for any delay in receipt.
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal
Dutch Airlines) is registered in Amstelveen, The Netherlands, with
registered number 33014286 
**

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Shmuel Metz (Seymour J.)]

In <[EMAIL PROTECTED]>,
on 02/11/2008
   at 08:57 AM, "Vernooy, C.P. - SPLXM" <[EMAIL PROTECTED]> said:

>Unless I missed a part of the discussion,

You missed the discussion of head alignment.There are also commercial
firms doing data recovery.


>Is there some report, investigation, official statement to *prove*
>that overwriting once is not good enough?

There have been numerous official statements from, e.g., NSA.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[R.S.]

Ed Gould wrote:

Radoslaw:

Some people (a lot) on this list are (or should be) concerned about data 
destruction. 

Yes. So what ?



If you are one of the few that are not concerned now but in [...]

Bad assumption. I am concerned. BTDT.

the future you may be asked (or involved) in such discussions it (IMO) 
is always good to have at least an idea of what is involved and the side 
issues that way you can make contributions to the boss (or group). It is 
usual (IMO) if you make good contribution (on the job or most places) to 
the issue of data destruction you will come out ahead of the game. Quite 
often in the US we have other departments that "worry" about such items 
and probably the departments do not have a clue about the virtual ARRAYS 
for DASD (or TAPE for that matter) and the implications for data 
destruction.  If you can walk away from here with at least a minimal 
understanding of some of the issues you can honestly say you have 
learned something new today and you (may) well be a better employee for it.

Ed,
Maybe my English is to poor or your is to rich 
While I understand every single word, I don't understand what's your 
opinion.
I asked simple question, did not get the answer. I don't like answer 
"because mama said so". I like to know why.



ps: As for the number of rewrites the DOD is probably the last word in 
data destruction. Although it would be interesting to hear if  HIPPAA 
(sp?) has one as will.


pps: HIPPAA (sp?) is a US concern about medical information privacy I 
would suspect the EU has standards as well. Off the top of my head I do 
not remember if Poland is a part of the EU, it may happen in the future.


Poland is part of the EU. I have never heard about medical information 
privacy regulation. We have some nation-wide information privacy codes, 
but nothing "medicine-specific".
BTW: your (US) regulation is HIPAA, not HIPPAA. Health Insurance 
Portability and Accountability Act. AFAIK established in 1996.



Regards
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA  wynosi 
118.642.672 zote i zosta w caoci wpacony.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Mike Bell]

The whole point of multiple write passes is that the physical head does not
write a track at the same exact physical location every time.  With the
right equipment ( disk manufacturers and data recovery experts have it), you
can center the read head off to the side of the track, and read a value from
a previous write.  The accuracy of the read depends on the normal your
mileage may vary factors, how long the previous value was there , where the
head was previously centered (within the limits of being able to read
correctly)  etc.  If you write random bit patterns, multiple times ( and
different bit patterns on each pass), then the difficulty of extracting the
previous data increases.  How much the difficulty increases is known by the
people who do this for a living (NOT me).


-- 
Mike

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[R.S.]

Mike Bell wrote:

The whole point of multiple write passes is that the physical head does not
write a track at the same exact physical location every time.  With the
right equipment ( disk manufacturers and data recovery experts have it), you
can center the read head off to the side of the track, and read a value from
a previous write.  The accuracy of the read depends on the normal your
mileage may vary factors, how long the previous value was there , where the
head was previously centered (within the limits of being able to read
correctly)  etc.  If you write random bit patterns, multiple times ( and
different bit patterns on each pass), then the difficulty of extracting the
previous data increases.  How much the difficulty increases is known by the
people who do this for a living (NOT me).


I read about it approx. 5 years ago, so it's not new for me.
I understand why multiple passes are better than single pass, but still 
have no aswer how many times is good enough. Otherwise someone (official 
entity) could say "999 times". Or  times. Or 9 times. Everyone 
would agree the more is the better - from security point of view.
So, should we overwrite 15 times or 999 times ? Please *justify* your 
answer. 


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA  wynosi 
118.642.672 zote i zosta w caoci wpacony.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Howard Brazee]

On 18 Feb 2008 08:38:41 -0800, [EMAIL PROTECTED] (R.S.)
wrote:

>I read about it approx. 5 years ago, so it's not new for me.
>I understand why multiple passes are better than single pass, but still 
>have no aswer how many times is good enough. Otherwise someone (official 
>entity) could say "999 times". Or  times. Or 9 times. Everyone 
>would agree the more is the better - from security point of view.
>So, should we overwrite 15 times or 999 times ? Please *justify* your 
>answer. 

How much slop needs to be covered up with rewrites would depend upon
the particular disk drive.   So there won't be a single answer that is
barely sufficient for one drive and barely sufficient for another
drive.   

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Shane]

R.S. (referring to Ed G) wrote:

> While I understand every single word, I don't understand what's your 
> opinion.

Your mastery of English is *not* the problem ...
Making sense of Ed is beyond a good number (all ???) of us.

Shane ...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Data Erasure Products

[Mike Baldwin]

On Mon, 18 Feb 2008 17:38:15 +0100, R.S. 
<[EMAIL PROTECTED]> wrote:

>"999 times". Or  times. Or 9 times. Everyone
>would agree the more is the better - from security point of view.
>So, should we overwrite 15 times or 999 times ? Please *justify* your
>answer. 

Hi R.S.,

I enjoy your sense of curiosity.  The customer security document I referred to 
earlier said that there are commercial products available that can erase up to 
99 times.  It did not express concern about this limitation of capability, or 
suggest erasing 99 times and then another 99.  So I would infer that 100 
times is considered certainly *more* than enough.  Sorry this probably doesn't 
satisfy your desire for justification; sometimes when my son asks me Why? 
(every few seconds) I can't or don't answer either.

Regards,
Mike Baldwin
Cartagena Software Ltd.
www.cartagena.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html