Forgot your password?
typodupeerror
Data Storage Security IT

The Great Zero Challenge Remains Unaccepted 496

Posted by timothy
from the no-fair-guessing-porn-names- dept.
An anonymous reader writes "Not even data recovery companies will accept The Great Zero Challenge and only four months remain! We've all heard how easily data can be recovered from hard drives. We're told to make multiple overwrites with random data, to degauss drives and even physically destroy them just to be extra safe. Let's get the word out. The challenge is almost over! It's put up or shut up time. Can you recover the data?"
This discussion has been archived. No new comments can be posted.

The Great Zero Challenge Remains Unaccepted

Comments Filter:
  • by DigitAl56K (805623) * on Saturday September 06, 2008 @03:22PM (#24903075)

    Based on nothing more than personal suspicion, I think many professional recovery firms may be in the business of simply running expensive tools that scan through the partition and file table area and perhaps even the entire disk to locate data that has either been marked erased or had references removed (for a full disk scan) and then restoring it. Perhaps they'll also move the spindle from a dead drive into a new case to complete the operation, but I doubt there are many companies that will actually do electron force microscopy for you and even fewer that will do it at anything other than an astronomical fee. Powerful recovery tools can be purchased for a few hundred dollars now anyway. My opinion is that the recovery business is a focus around confidence that a professional will be doing the recovery and that you or your employees won't worsen the situation. In the event that a drive with critical data fails and you don't have a backup, who wants to be the person responsible for damaging the disk during recovery?

    Anyway, IMHO this whole debate should be moot by now. If you want to secure your drive use full disk encryption (now freely available in TrueCrypt) and when it comes to destroying the data just overwrite the header area a thousand times with random garbage. It will take only a second or two, and the whole drive will be useless to anyone.

    Of course it would also be nice if more manufacturers were producing encrypted disks as standard with verified schemes (there have been some lemons purporting to be secure that really aren't) so that we wouldn't have to do encryption in software.

    • by anagama (611277) <obamaisaneocon@nothingchanged.org> on Saturday September 06, 2008 @03:29PM (#24903153) Homepage
      Although the drive has to be in a living system and not on the shelf, it's worth noting the cold boot attack: http://citp.princeton.edu/memory/ [princeton.edu]

      Q. What encryption software is vulnerable to these attacks?

      A. We have demonstrated practical attacks against several popular disk encryption systems: BitLocker (a feature of Windows Vista), FileVault (a feature of Mac OS X), dm-crypt (a feature of Linux), and TrueCrypt (a third-party application for Windows, Linux, and Mac OS X). Since these problems result from common design limitations of these systems rather than specific bugs, most similar disk encryption applications, including many running on servers, are probably also vulnerable.

      • by DigitAl56K (805623) * on Saturday September 06, 2008 @03:35PM (#24903245)

        Although the drive has to be in a living system and not on the shelf, it's worth noting the cold boot attack

        Not in this context because we're talking about how intentionally wipe the data from a drive, e.g. when you want to erase the data and dispose of the disk. The cold boot attack, although interesting, has nothing to do with recovering data from a drive after someone has attempted to destroy it, unless your implication is that someone would try to overwrite the header a split second before someone like the FBI breaks the door down. Even then, simply unmounting the volume will wipe the key from memory. If you have time to attempt an erasure you have time to unmount the disk. If you are in a situation where you have enough time to write zeros all over the drive, as in this challenge, you are certainly not at risk from the cold boot attack.

        • by anagama (611277)
          As I said: "the drive must be in a living system". I figured people would think of a "living system" as one in which the drive is installed and the computer running. I suppose I was wrong.

          I think what is most interesting about the cold boot attack is how a system that was thought to be extremely secure, can fall to really smart people. Some really smart person/group in the future may figure out how to recover the old data on a drive despite zeroing or encrypting. Unless the drive is actually destroye
          • See, here I was thinking a Cylon. Number 6 specifically.
          • by Morosoph (693565) on Saturday September 06, 2008 @07:38PM (#24905763) Homepage Journal

            You may not write any data to the drive or disassemble the drive.

            So you're not allowed to (for example) exploit redundancy or error checking on the drive itself? If dd wrote zeros, that's what'll be read unles you can get "lower" than normal drive access.

            This challenge has nothing to do with the security of your wipe. Rather, it has everything to do with dd successfully writing zeros given normal access.

            • Re: (Score:3, Interesting)

              by Molochi (555357)

              Yeah, when I saw that you weren't allowed to disassemble the drive, I knew they weren't challenging anything more than script kiddies and their corporate equivalents.

              This "what do I need to do before I chuck a hdd" conversation has come up before. I'll ask, "How many dollars do you want somebody to spend to get the data?" They, almost invariably respond "I don't want them to be able to get any data." My response usually involves renting a shotgun/smg and some rangetime.

              • Re: (Score:3, Informative)

                by anilg (961244)

                RTFA, they specifically allow disassembling by data recovery organisations and the 3 letter ones to.

            • Re: (Score:3, Informative)

              by 1u3hr (530656)
              You may not write any data to the drive or disassemble the drive.

              RTFA. (How does someone get modded "insightful" when they haven't?)

              That's not in the challenge NOW. It was some months ago, as he didn't want to supply a unlimited number of drives for people to trash, but now the drive does not have to be returned, you can do what you like.

        • Re: (Score:3, Informative)

          by fbjon (692006)
          The cold boot attack is possible if the FBI cuts the power before breaking down the door, then you won't be able to overwrite the memory. Unless you have a UPS, in which case you could have it auto-unmount all encrypted drives after a few seconds warning.
    • by khasim (1285) <brandioch.conner@gmail.com> on Saturday September 06, 2008 @03:31PM (#24903179)

      It's about money.

      Since the "reward" offered seems to be less than the regular fee that a company would charge for such, why would any recovery company waste resources on it?

      • by gEvil (beta) (945888) on Saturday September 06, 2008 @04:04PM (#24903641)
        That was my thought, too. Reading through the challenge page, all I could think was "a whole 40 bucks?!?" I mean, even if I could do it, I'm not sure I'd waste my time for 40 bucks and the title of "recovery king".
        • Re: (Score:3, Insightful)

          by dotgain (630123)
          If my interpretation is correct, you're still $20 behind (unless you actually value an 80GB drive), since if you win you get to keep the drive, but apparently aren't refunded your $60 deposit. This was exactly why I read the article - and when I found out what's at stake I thought it pretty obvious why even ten-year-old johnny with his hex editor haven't entered - this is the most pathetic competetition I have read of in all my time.
          • Wrong interpretation (Score:3, Interesting)

            by Poingggg (103097)

            If my interpretation is correct, you're still $20 behind [....] since if you win you get to keep the drive, but apparently aren't refunded your $60 deposit.

            Wrong interpretation! From TFA:

            If you damage the drive, then your deposit will not be returned.

            So, (if MY interpretation is correct) you will always get your deposit back if you return the drive in good order or win.

            But I have to agree that it's not quite the amount of money I'd do it for, even if I were able to.

    • by Justus (18814) on Saturday September 06, 2008 @03:32PM (#24903213)

      If you want to secure your drive use full disk encryption (now freely available in TrueCrypt) and when it comes to destroying the data just overwrite the header area a thousand times with random garbage. It will take only a second or two, and the whole drive will be useless to anyone.

      Except, of course, that the point of the challenge is that instead of encrypting and whatnot (which can be a good idea for other reasons, but I digress), you could just overwrite the drive with 0's once and dispose of the drive safely. This is most likely substantially faster than what many people propose, like overwriting many times or physically destroying the disk.

      However, I think their methodology is pretty flawed. The reward for completing the challenge is $40 and the drive itself (which is worth $40-60). You also have to pay shipping, which will run maybe $10-15. I know that it's really not worth it for me to spend any time trying to recover the data from the drive—probably a fairly lengthy process—just for $85.

      • Not so. (Score:2, Insightful)

        If you were a data recovery company, you would gain an ENORMOUS reputation if you were to complete the challenge. And the cost? Shipping.

        That is the cheapest publicity they would ever receive... and what publicity they would receive!
        • Re:Not so. (Score:5, Insightful)

          by DigitAl56K (805623) on Saturday September 06, 2008 @03:56PM (#24903525)

          That is the cheapest publicity they would ever receive... and what publicity they would receive!

          Yes, what publicity they would receive? :) I've never heard of 16systems.com before, their site is barebones with almost no articles [16systems.com]. I dare say they caught a lucky break with this Slashdot article. Maybe I'm wrong, but it seems that there is no obvious publicity to be had (before now). And should recovery firms respond to everyone with a small website who issues a challenge?

        • Re: (Score:2, Insightful)

          by Henneshoe (987210)
          I hope that was sarcasm, because really who hasn't heard of 16systems.com and their (not so) great challenge. The publicity from winning this is next to nothing.
      • by arth1 (260657) on Saturday September 06, 2008 @04:11PM (#24903701) Homepage Journal

        The conditions are also made to trick ignorant journalists. Anyone knowing a bit about file systems know that being able to restore some data from a drive is a heck of a lot easier than being able to restore file names, which they demand. Not only do you have to be able to restore the sectors that contain the file name metadata, but you need knowledge of the file system in question, and how exactly it stores its file names. If it's stored in byte swabbed format, you won't even recognize it as a file name.
        Try to do a dd to a file of a working partition and then extract the file names from it. Unless it's a DOS partition or other ancient format, it's not easy, and that's with no zeroing.

        Yes, the "contest" is a farce, and any company that enters into it will lose credibility just by entering.

    • Re: (Score:3, Informative)

      by mikael (484)

      I had an old drive which failed - one of those laptop Travelstar's that were known as 'deathstars' for the number of times they had died from overheating. Data recovery companies gave me a quote for anywhere between 300 pounds and 800 pounds, depending upon whether they would have to remove the spindle/platters from the drive and place them into a new one.

      Fortunately, I managed to recover all the data from this drive for free, by putting it in external USB enclosure, place this in a freezer to cool it down,

    • by BPPG (1181851)

      ... when it comes to destroying the data just overwrite the header area a thousand times with random garbage. It will take only a second or two, and the whole drive will be useless to anyone.

      but that's the point they're trying to make; that's a myth and it's not necessary.

      We're talking tin-foil hat, big brother paranoid level security here though. Your mom's not going to find the porn you deleted on your hard drive that was written over with random garbage, or had the headers deleted. But a super cyber-ninja might (not will, but might) be able to find a particular private key that you left on that same hard drive. And overwriting with garbage is really overkill, zeroes are all that's necessa

      • by cduffy (652) <charles+slashdot@dyfis.net> on Saturday September 06, 2008 @04:34PM (#24903991)

        Everything that 'might' happen is a security risk. If you think I'm being an alarmist, then stop thinking about security. It's necessary to talk in such absolutes. Using a random garbage writer is, well, random. With random, there's almost no chance of it happening. On the other hand, using straight zeroes, it's not possible to recover data from a disk full of zeroes at all. No multiple obsessive compulsive garbage writing necessary. Simple, elegant, and true.

        You're absolutely right that we're talking big brother paranoid level security -- but if you write straight zeros, and writing a zero makes 1->0.05 and 0->0, it may be possible to tell the two states apart. As binary as the data may be, it's still getting written to a physical medium -- and the Real World lives in analogs. Even were this true, however, writing multiple passes of garbage would prevent an entity able to distinguish 0.00 and 0.01 from being able to determine the media's prior state -- and that's the whole point of this operation. Claiming that writing multiple passes of random garbage (or, better, patterns selected to-purpose -- see the Gutmann method) is somehow worse security than a single pass of zeros is complete bunk; the likely case is that it simply doesn't buy anything worthwhile at all, at a cost of time and electricity.

        That said -- absolutely, this isn't a likely attack; if there were a cheap way to make equipment which could read data with that level of precision off of magnetic platters, we'd be using it to make higher-density magnetic platters... and tolerances for how the data is written to those platters is much, much lower today than it was twenty years ago. (Against a twenty-year-old hard drive, I'd expect the chances of someone with a STM and a lot of time to actually be quite good).

        • by Sycraft-fu (314770) on Saturday September 06, 2008 @11:40PM (#24907427)

          Long gone are the days when drives stored things in a simple modulation format. That's what MFM hardrives were (MFM means Modified Frequency Modulation). Now harddrives store an analogue wave, and analyze it to determine the maximumly likely result for a given waveform. It's called EPRML, Extended Partial Response, Maximum Likelihood. You can Google for the specifics of how it works, but the general idea is there isn't a certain threshold beyond which something is 1 or 0. Rather it is an analogue wave of varying intensity and by looking at how it changes, the drive's processor can pick out the binary stream it is most likely to represent. Sounds like voodoo, but works really well and is extremely reliable.

          Well, that means that data recovery of overwritten data just became a hell of a lot harder. It isn't a matter of saying "Well the current data is a 0, however it is on the high end of 0 so it was probably a 1 before." No now you have to be able to tell what the wave looked like beforehand, and interpret that.

          Now maybe there's a way that it is possible, but I'm rather doubtful. There is, of course, also the time factor. Supposing you can do this, how long does it take you to read one byte? A second? A minute? Ok, how long are you willing to spend scouring a drive that has five hundred billion of those bytes? So not only do you need to be able to do this, but you need to be able to do it quite quickly if you are to have any hope of scanning a modern drive in a timescale that is useful.

      • Re: (Score:3, Insightful)

        by Tassach (137772)

        Data destruction can be trivially achieved with just dd and /dev/null

        You ALMOST got it. Data destruction can be trivially achieved AGAINST TRIVIAL ATTACKS with just dd and /dev/zero. There are quite a few published papers on how to recover data from a zeroed hard drive -- attacks that are a LOT more sophisticated than plugging the drive in to a working system and running a piece of software. These attacks aren't easy and do require special equipment and actual knowledge of ELECTRONICS ENGINEERING, not just general computer geekery.

        As a side point, it's /dev/zero, not /d

        • Re: (Score:3, Insightful)

          by Deagol (323173)
          Got cites?

          I know of the original Gutmann paper, his follow-up debunking the "magical" 35-pass requirement, and then there was a dude who tried (unsuccessfully) to track Gutmann's original source material to see if any *real* data recovery had actually been done. This topic really interests me, and I've yet to find *any* evidence that data simply overwritten with zeros has *ever* been recovered (even partially) from modern hardware that even Gutmann himself feels is pretty immune to such techniques, give

  • by MillionthMonkey (240664) on Saturday September 06, 2008 @03:24PM (#24903101)

    000 000, 0 000 0000 0000000 0 0 0 0000 00000! 000 0 000 000 0000000 000 000000 00000? 00 000 000000!

    000 000 00 0000 000.

  • by Joce640k (829181) on Saturday September 06, 2008 @03:25PM (#24903109) Homepage

    That word "percent", I don't think it means what you think it means...

  • Okay, so what's the logical fallacy at work here?
    • Your logical fallacy? Laziness, I guess. Or general failure to read the article.....

      not trying to insult you (or maybe I am, I don't know, but I have nothing personal against you), but the prize purse is $40, as has been mentioned several times already in the comments, and what he is proposing is probably impossible, and if it's not, whoever has that ability probably won't want to share the technique for a mere $40.
    • Re:Pop Quiz (Score:4, Interesting)

      by WK2 (1072560) on Saturday September 06, 2008 @04:17PM (#24903771) Homepage

      Sumary of the fallacies I've seen mentioned on Slashdot so far:
      1) lack of reward ($40, plus used 80GB drive worth $30-$40 new, minus shipping).
      2) risky. You have to pay a deposit of $60, you have to pay shipping, and you only get the drive for 3 days.
      3) You aren't allowed to take the drive apart, which, theoretically, would be necessary for EMF recovery
      4) lack of publicity. Many of us didn't even know about the challenge until today. Most professionals probably will have never heard about the challenge even when it is over.

      Basically, they are assuming that if nobody does the challenge, that nobody could.

      The do have a valid point though. DOD 3-pass is more than enough for 99% of people. Common criminals and the FBI wouldn't recover that, and the NSA might not either. Destroying perfectly good drives is a waste of money and resources, and the practice should stop in 99% of cases.

      Unfortunately, 16systems doesn't have enough funding to prove this. It would be nice if a more wealthy person/company would duplicate this challenge, but have several hard drives, pay shipping, have a reasonable reward ($5000+, the more the merrier), and be able to advertise the challenge better.

  • The operating system that wiped the disk is not the one that was running on the PC, but a "known good" one. Otherwise a rootkit in the PC could lie to the wiping software about overwriting the disk.

    The disk wiping completes successfuly overwriting all the blocks, not just the first few blocks of partition table and directory structure - all the data must be overwritten.

    Although I use DBAN by preference because it's faster and wipes multiple drives at once, dd is a capable choice.

    For "failed to wipe" dri

  • Wow, what a prize! (Score:4, Insightful)

    by Dahan (130247) <khym@azeotrope.org> on Saturday September 06, 2008 @03:28PM (#24903137)

    So the prize for winning is a $60 hard drive, plus $40? Damn, I don't know why people aren't just jumping all over that!

    Also, disassembling the drive is against the rules of the challenge, unless you're a "established data recovery business ... or a National government law enforcement or intelligence agency".

    This "challenge" is stupid.

    • by agurk (193950) on Saturday September 06, 2008 @03:44PM (#24903365)

      Actually they also ask you to tell how you did it. Even though they claim it is not a scam it seems like a scam in the sense that they after this weird experiment have proven that recovery is impossible.

      It is like me setting up a challenge - can ketchup stains be removed from my white t-shirt?

      Send a self-addressed, postage-paid box you pay shipping both ways with packaging material to the address listed below along with a sixty $60 USD deposit United States Postal Service Money Order only and I will mail the t-shirt to you.

      If you can remove the stain you get to keep the t-shirt and I will give you the amazing amount of money $50 and the right to become "official stain remover". Btw, if you can't prove you are a established ketchup removal business - you cannot use water or any other fluid.

      If this challenge is not taken within a year I have the right to tell the world that the worlds dry cleaners can't remove ketchup stains. The whole clothes cleaning industry is a hoax.

      • by Simon80 (874052)
        This is exactly the problem with this challenge, there's no reason why anyone would participate. Anyone in the (forensic) data recovery business would probably prefer to keep quiet about what it takes to destroy data anyway, lest people make their lives more difficult.
    • by Renraku (518261) on Saturday September 06, 2008 @03:45PM (#24903375) Homepage

      The challenge isn't stupid, the rewards are.

      If this were an X-prize type of deal, it'd be a lot better. Who's going to bother with EFMing a drive for $40? I guess some college students with access to those machines might, but those are very fickle and easy-to-fuck-up machines..aka..kept under lock, key, and password.

  • Jeez (Score:5, Insightful)

    by trifish (826353) on Saturday September 06, 2008 @03:28PM (#24903147)

    Interestingly, the most important thing is missing from the summary -- the prize. So, what the prize is you ask?

    An incredible, unbelievable, astonishing and amazing amount of... wtf... fourty (40) US Dollars? Yes, you heard that right! No wonder nobody has shown any interest in participating.

    Full quote from the site: Should someone win, they get to keep the drive. They also will receive $40.00 USD and the title "King (or Queen) of Data Recovery".

    • Re:Jeez (Score:5, Insightful)

      by 7 digits (986730) on Saturday September 06, 2008 @03:38PM (#24903293)

      > Interestingly, the most important thing is missing from the summary

      Not only that, but also the fabulous restriction:

      "You may not [...] disassemble the drive"

      This is ridiculous. A drive overwritten with zero data will, by definition, returns 0s through ATA commands. The reason why some people overwrite sensible data several time is to guard against a possible scanning transmission electron microscopy, which, of course would need the disk to be disassembled to be performed.

      How can this ends on slashdot ? Don't know...

      • by Drantin (569921)

        They do allow data recovery companies to disassemble the drive...

        • Yes, but why would they? They can charge $300 for a business to get important data back, why bother with $40 and a HD?
          • Re: (Score:3, Informative)

            by arth1 (260657)

            $300? That's for running what's pretty much an "undelete" like any shareware program can do.
            $3,000, and you might get what amounts to a sector dump.
            $30,000 and damaged platters/heads might be replaced, and attempts at hardware recovery done.
            $300,000, and the electron microscopes might see use.

            • Real price is $700 (Score:4, Informative)

              by SuperKendall (25149) on Saturday September 06, 2008 @04:46PM (#24904117)

              $300? That's for running what's pretty much an "undelete" like any shareware program can do.
              $3,000, and you might get what amounts to a sector dump.

              Not at all true. I priced this out for a friend that had removed data beyond what the simple undelete commands you mentiioned can do. The real cost is more along the lines of $700, and you get real data files back.

              $3000 is more along the lines of, the actual physical disk inside the case has been disturbed and you are talking about recovering whatever data you can. That starts to get real pricey, really quickly.

    • Interestingly, the most important thing is missing from the summary -- the prize. So, what the prize is you ask?

      An incredible, unbelievable, astonishing and amazing amount of... wtf... fourty (40) US Dollars? Yes, you heard that right! No wonder nobody has shown any interest in participating.

      Full quote from the site: Should someone win, they get to keep the drive. They also will receive $40.00 USD and the title "King (or Queen) of Data Recovery".

      That's not fair. They also get to keep whatever broken pile of scrap remains of the drive after they've managed to scrap the file/folder names off it :)

      This prize is so valuable that it is actually a kingdom.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Yes, but once the Nation of Data Recovery rises, that prize will seem a lot better.

  • by phantomfive (622387) on Saturday September 06, 2008 @03:30PM (#24903161) Journal
    Ugly unprofessional website, a prize purse of $40USD (plus the hard drive), restrictions that the drive can't be disassembled.....I can't imagine why they're having trouble getting interest. Raise the purse to $10,000 and you might have something.

    In addition, according to Wikipedia, [wikipedia.org] what he proposes is actually impossible, at the very least an electron microscope would be needed.

    Can't say I'm entirely disappointed by this story, though. At least I learned something that I was ignorant of before.
    • Well, its not impossible, but it would require the disassemble of the drive and the use of some expensive machinery or possibly knowledge of the harddrive's circuitry. . If I were in college, it might be a neat research project, but they explicitly say that you cannot disassemble it unless you are a for profit company or governmental agency. But yeah, for the "prize" its just plain stupid.

      I'd like to try that myself with my own disk. I have some sophisticated software that I've used in the past to recov
  • Utter stupidity (Score:5, Insightful)

    by Reality Master 101 (179095) <RealityMaster101.gmail@com> on Saturday September 06, 2008 @03:30PM (#24903165) Homepage Journal

    First of all, do data recovery firms ever *claim* they can recover from a zeroed drive? No, they don't. The claim is that government-level forensic analysis *might* be able to recover data with only a single overwrite, with very sensitive expensive equipment. Not terribly surprising the FBI wouldn't take them up on this challenge.

    Second of all, someone is supposed to waste a lot of time and money for just a cheap drive and a piece of paper from some entity no one has ever heard of?

    And they're doing this to "prove" that this type of data recovery can't be done?

    This has to be the lamest challenge that's ever been issued.

    • Re: (Score:3, Funny)

      by Mike1024 (184871)

      someone is supposed to waste a lot of time and money for just a cheap drive and a piece of paper from some entity no one has ever heard of?

      I know the dollar has declined in value a lot in recent years, but it's hyperbole to call $40 "a piece of paper from some entity no one has ever heard of"

  • The only way one could recover data here would be play on small change in alignment of the head to see what was before the 0, however, the instruction specifically prevent disassembling the hard drive... why do they even ship it then ?

  • by mrvan (973822) on Saturday September 06, 2008 @03:35PM (#24903251)

    Okay, here are my 3 reasons why a company would not accept this challenge:

    (1) economical:

    - I am asked to mail 60 USD to a random address, who claim they will return it to me if I send the harddisk back. This is a risk (how do I know it is not a scam?)
    - In any case, I lose shipping charges both ways
    - Maximum gain is 40$, plus an obscure web site calls me King of data recovery.
    - Risk + Cost >> Gain

    (2) International

    I am asked to ship a US Postal money. A WHAT? Hello, creditcard? Paypal? Normal internaional cheque?

    (3) Disassembly

    All reasons I've heard for doing something more than dd is that there might be residual magnetic charge on the platter that is ignored by the filesystem. According to the rules of engagement, only some weird collection of institutions ("established data recovery business located in the United States of America" or "National government law enforcement or intelligence agency (NSA, CIA, FBI)") may disassemble the drive. How am I going to detect residual charge if I cannot disassemble it?

    The last arguments compounds the first two, as only US Companies can disasseble, and disassembly voids the deposit, meaning I am certainly out 60$.

    Next time that they want to be "noble and just to dispel myths, falsehoods and untruths", they should make a challenge that is actually interesting to any party to pick up.

  • From the FAQ: Because many people believe that in order to permanently delete data from a modern hard drive that multiple overwrites with random data, mechanical grinding, degaussing and incinerating must be used. They tell others this. Like chaos, it perpetuates itself until everyone believes it. Lots of good, usable hard drives are ruined in the process

    Well, that might be right, private recovery companies may not be able to recover data in that case, but this does not mean this is not possible for governm

  • From The Experts (Score:4, Insightful)

    by randomc0de (928231) on Saturday September 06, 2008 @03:35PM (#24903261)

    Given my general level of paranoia, I recommend overwriting zeros, and five times with a cryptographically secure pseudo-random sequence. Recent developments at the National Institute of Standards and Technology with electron-tunneling microscopes suggest even that might not be enough. Honestly, if your data is sufficiently valuable, assume that it is impossible to erase data complete off magnetic media. Bur or shred the media; it's cheaper to buy media new than to lose your secrets.

    Because all data recovery companies have electron-tunneling microscopes on hand for recovery and aren't just running a Linux distro with a modified ext3fs to ignore "deleted" inodes. The longest AES key I've cracked is 28 bits (in Python, no less!). Yet we still use a minimum of 128, more likely 256. It's not the guys running recover [sourceforge.net] I'm worried about. It's the spooks with electron f'ing microscopes and a direct connection to AT&T.

  • I would expect that the resources that would be required (for the equipment and the expertise) to make a serious attempt at this are out of reach for most. I'm sure the likes of organizations such as the NSA have already attempted this, but as to whether or not they had any success..well I'm sure that information is classified.

    --
      WI-FIzzle Blaahhggg.. I just post useful code snippets and linux information here [wi-fizzle.com]

  • An urban legend (Score:5, Interesting)

    by Ancient_Hacker (751168) on Saturday September 06, 2008 @03:38PM (#24903297)

    It's an urban legend. You can't recover erased bits. If you could it would imply that you can store at least two bits in the space of one. Disk companies have a pretty good idea what their heads and surfaces can do. Do you think they'd be passing up big $$$ by under-utilizing their disk's capacity?

    There is that one Usenix conference "paper" foating around out there, but if you read it carefully it does not give a single example of one recovered bit.

    If you've ever looked at the waveform coming off a disk head, you'd wonder with all the x/y noise and jitter how they can get even ONE bit out of that hairball. The answer is, they can, just barely, by applying all the sync, gating, PLL, and deglitching tricks, just barely reliably recover bits at the maximum recording density possible.

    And all those pictures they show of bit patterns lingering under large erased areas are actually counter-examples. They prove that you can detect periodic bit patterns under large erased areas. Duh. In the real world the underlying data is not periodic, and the erasure isn't smooth or periodic either. If you overwrite real typical data with random data, you can't recover the original data. Shannon and company, you know.
     

    • by russotto (537200)

      It's an urban legend. You can't recover erased bits. If you could it would imply that you can store at least two bits in the space of one. Disk companies have a pretty good idea what their heads and surfaces can do.

      The idea is you wouldn't use standard heads.

    • by Jane Q. Public (1010737) on Saturday September 06, 2008 @03:56PM (#24903527)
      ... it is merely old tech that is no longer relevant. In the old days of sloppy mechanical tolerances (and read-write heads), it was possible to leave traces that were misaligned with the main bits of the current data. With good custom drivers and software, it was often possible to recover some of this data.

      This is of course no longer true what with much tighter tolerances, smaller and vertical magnetic domains, and so on. I think that is the point of this challenge.
    • At the end of a disk's life, it is usually 3-5 years old, during which time the sensitivity of the pickup and the magic of the DSP have doubled more than once. So your attacker takes your discarded disk and installs the platters in a modern mechanism, enabling him to read, with his much more sensitive equipment, magnetic fields that the original mechanism was unable to detect.
  • .... to recover all the zero's

  • Their offer if you win: a whopping $40 (plus you get to keep the drive!). No way in hell you can recover data after dd for $40. My time alone is worth more than that. Offer me $40,000 and I'll consider it.
  • "Forensic data recovery" may have worked on overwritten drive space before, back when mechanical tolerances and drive heads were sloppy. Modern drives are a much different story. There is little to no room for "magnetic slop" surrounding a written bit. If there were, the drives would simply not work well!
  • by larry bagina (561269) on Saturday September 06, 2008 @03:45PM (#24903377) Journal
    Last month, I challenged every female olympic gymnast to prove she was over 16 by having sex with me. (The age of consent is 16 in my state). To date, every gymnast has ignored me, with the exception of 1 whose boyfriend threatened to kill me. Therefore, we now have proof that all the female olympic gymnasts are under 16 and should be disqualified.
  • From the link, what one data recovery company said after being told that the drive had been zero'd out with dd:

    According to our Unix team, there is less than a zero percent chance of data recovery after that dd command. The drive itself has been overwritten in a very fundamental manner.

    Can anyone tell me what's so fundamental about the "dd" command that there's not even no chance the data could be recovered?

    • by zippthorne (748122) on Saturday September 06, 2008 @04:36PM (#24904021) Journal

      Read the source.

      If you feed it a long string of zeros and don't give it any stopping conditions, it activates the drive's vacuum pump and removes all of the air. This step eliminates the cushion keeping the heads off of the disk, so while "writing" zeros, they're also shaving a layer of magnetic material.

      This is more than sufficient to wipe your drive and prepare for a fresh install, unless your drive uses vertical bits. Keep in mind, though, that hard drives are like wood floors. You can only plane them two, three times, tops, before they have to be replaced.

  • From the site: Legitimate data recovery firms know this. They will not take the challenge. Neither will a national government agency.

    Okay, well first of all, it wouldn't be in the interest of any government law enforcement to accept this challenge. Why would they? To show us what they can and can't do? I think it's in their best interest to keep that to themselves and keep us wondering.

    I don't know if the overwriting thing is a myth or not. I don't know enough about the physics of it to even approach an an

  • by viking80 (697716) on Saturday September 06, 2008 @04:01PM (#24903581) Journal

    It is likely that there is a hysteresis in the platter causing a "0" written on top of a "1" to be slightly "weaker" than a "0" written on top of a "0".

    On old tape, this hysteresis was about 10%, and was actually visible with a magnetic loupe, so depending on s/n ratio, you could recover quite a bit, no pun intended.

    The problem with a HDD is that the signal from the heads go through a lot of signal processing including Extended PRML or EPRML. There is also an algorithm like RZ to not have a long series of the same bit written physically. If you take the electrical output from the read head, you will have a big task reconstructing the data, even if there only good data.

    The only places today that can analyze well what is read physically is at HDD manufacturers research lab, and probably using custom HW to read the platter that collects all the errors and offsets. For a recovery company to do this, they probably would have to invest millions of $$$, so they will not.

    So bottom line is that you could send the drive in to Western Digital, and they could probably recover the raw data with about 90% accuracy. If that is enough for the error recovery to chew on, I am not sure, but here and there, long strings would be recovered. They can for sure give the exact probability for the recovery of a bit.

    WD however does not have any incentives to demonstrate that wiping their drives with "0" is not sufficient. aux contrare, they may consider this an undesirable property. Therefore, the only ones that can recover this is unwilling.

    So the challenge remains unaccepted.

    • Re: (Score:3, Insightful)

      by glwtta (532858)
      So bottom line is that you could send the drive in to Western Digital, and they could probably recover the raw data with about 90% accuracy.

      That's a pretty impressive number, to just pull out of your ass.
  • Prize (Score:4, Funny)

    by FooGoo (98336) on Saturday September 06, 2008 @04:19PM (#24903801)
    Hmmm, you get to keep the drive if you win which also means you get to keep any data recovered. If it's filled with pirated music that could add up to a lot of money at $750 per track.
  • by bill_kress (99356) on Saturday September 06, 2008 @04:28PM (#24903895)

    The few people who MIGHT have the capability to look beyond what is written on the drive and see patterns remaining from previous data are most likely the ones who would prefer that the concept remain vague and unproven.

  • Eh (Score:3, Funny)

    by OverlordQ (264228) on Saturday September 06, 2008 @04:31PM (#24903943) Journal

    A graduate of Virginia Tech (Phi Beta Kappa 2000), Brad has experience in systems administration, systems programming and IT management. Today, he primarily works on IT security reviews and writes programs such as Find_SSNs. Brad also assists with incident response, computer forensics, departmental database design and management, and works with students in the IT Security Lab as needed. He holds the SANS GCFA (computer forensics certification) and the GIAC STAR Payment Card Industry certificate.

    I think somebody needs their money back from their forensics certification.

  • Where in the hell... (Score:3, Informative)

    by John Hasler (414242) on Saturday September 06, 2008 @05:02PM (#24904289) Homepage

    ...did these guys get the idea that anyone who knew what they were talking about claimed that it was possible to recover data from an overwritten drive without taking it apart?

  • Dear sir, (Score:5, Funny)

    by mypalmike (454265) on Saturday September 06, 2008 @05:21PM (#24904461) Homepage

    Kindly sir, I am a Nigerian Prince trying to transfer some data from a zero-ed out hard drive to my cousin in the U.S.A. If you would kindly deposit $60 into my bank account, I will send you the hard drive. Upon your transmission of the data to my cousin, I will promptly return your $60, plus $40 for your effort. You may also keep the hard drive.

    Your friend,
    Prince Njeme Nawabi, P.O.S.

  • by Skapare (16644) on Saturday September 06, 2008 @06:24PM (#24905103) Homepage

    ... if using older recording technology that has gaps between tracks and records zeros in raw form. Today's recording involves multi-level coding and scrambling, where even all-zeros will have a big mash-up of flux values, and overlaps the gaps to some degree.

    If that 80 GB drive that had been zeroed-out with dd had recorded Osama bin Laden's exact location, you can be sure the data recovery experts at certain nameless US government agencies would scramble to get hold of that drive, regardless. And it would not surprise me if they can recover some data from it. They would not be worried about getting their $60 deposit back, and the drive will likely be destroyed as a hard drive as we know it. The tab for such recovery could be in the millions of dollars, but for that kind of data, it would be worth it.

    Is the data on your computer with that to someone?

  • Well known (Score:4, Insightful)

    by gweihir (88907) on Sunday September 07, 2008 @12:40AM (#24907717)

    The German computer magazine c't did try to get a disk that was overweritten once with zeros recoverd two years ago or so. All data recovery companies they contacted (all the major ones) said they could not do it and that it was likely impossible. So this is not newa at all. Even Gutman had an addendum that says tomething close for modern disks.

    The source of all these stories is that it used to be possible, when disc coatings were more advanced than r/w head and electronics. That is not the case anymore. It is very likely that you cannot put much more data on the disk than a moder HDD does. That also means that a single overwrite is an unrecoverable deletion. Keep in mind, that due to the particulars of the modulation, an all zero overwrite does not take up less of the surfaces data storage cabaliluty as a fully random overwrite.

    Basically the pople that claim recovery is possible are one or so decades behind the times. Nothing new.

Save yourself! Reboot in 5 seconds!

Working...