this post was submitted on 22 Nov 2024
520 points (98.5% liked)

Technology

59653 readers
2807 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] mosiacmango@lemm.ee 5 points 4 days ago* (last edited 4 days ago) (6 children)

DoD dropped it 7 and 3 pass requirements in 2006.

Later in 2006, the DoD 5220.22-M operating manual removed text mentioning any recommended overwriting method. Instead, it delegated that decision to government oversight agencies (CSAs, or Cognizant Security Agencies), allowing those agencies to determine best practices for data sanitization in most cases.

Meanwhile, the U.S. National Institute of Standards and Technology (NIST), in its Guidelines for Media Sanitization of 2006 (PDF), stated that “for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media.” When NIST revised its guidelines in late 2014, it reaffirmed that stance. NIST 800-88, Rev. 1 (PDF) states, “For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.” (It noted, however, that hidden areas of the drive should also be addressed.)

For ATA hard disk drives and SCSI hard disk drives specifically, NIST states, “The Clear pattern should be at least a single write pass with a fixed data value, such as all zeros. Multiple write passes or more complex values may optionally be used.”

[–] Saik0Shinigami@lemmy.saik0.com 3 points 4 days ago* (last edited 4 days ago) (5 children)

Congrats? DBAN was made prior to 2006... IT people existed before 2006. What's your point? You think that people just spawned into existence in 2006 with decades of IT knowledge? So like I said... "It WAS my default for a very long time because I simply defaulted to it for COMPLIANCE reasons"... eg. my contracts at the time required it and I ran boatloads of wipes.

Regardless... DOD 5220.22-M now states

The National Industrial Security Program Operating Manual (NISPOM) is now Part 117 of Title 32, Code of Federal Regulations.

So let's go look at the NISPOM stuff which says... NOTHING! So what you end up with is companies referencing the old DOD 5220.22-M because old government contracts will actually say that specific document in contracts as something that must be adhered to for a long long time. So even though it "died" on 2006, contracts may not be renewed for some time after that which still keeps the document alive.

Now DOD 5220.22-M actually specified and defines short wipes (3 pass) and long wipes (7 pass). And in theory, could be superceded by NIST 800-88 (and probably is the default on modern contracts). And regardless of all of that... DoD internally has it's own standards, which after wipe often requires degaussing or outright destruction of the disk, I remember having a dedicated device for it that would document serials and stuff. I'd have to pull up my army documents to remember which specific rules required that type of stuff, but I'm not going to dig out shit from 2010 just to argue with someone on lemmy.

So I guess this boils down to... The world didn't spawn into existence in 2006. People are older than 2006 and are allowed to talk about their experiences from before the "old times".

Edit: And in current contracts... all our shit is NVMe and secure erase. But I'm willing to bet muscle memory would still kick in for me if I saw the DBAN screen.

[–] mosiacmango@lemm.ee 1 points 4 days ago* (last edited 4 days ago) (1 children)

I'm discussing this comment :

https://sopuli.xyz/comment/13141026

the one that you initially replied to talking about recent Spanish court case where the defendants used a 7x wipe on some drives that were required to be retained as evidence.

Im well aware sysadmins existed before 2006, and also don't see how that's relevant in context. Security practices change over the course of 18 years in IT, as they have for secure wiping data.

So am I. I'm not sure what you think wasn't relevant. It's a literal DoD spec. Yes that spec is outdated, but it's still in Dban.

You coming out of nowhere talking about how the DoD spec itself is "dead" doesn't change the fact that it's available and probably still used by many people out there. I'm willing to be that several companies have the old DoD spec embedded in their own SOPs. And I was always talking in the context of the contract work I did long ago which WAS to the old DoD spec regardless.

load more comments (3 replies)
load more comments (3 replies)