Index Home About Blog
Date: Tue, 10 Jun 86 19:20:56 edt
From: "Gerard K. Newman" <GKN@SDSC.bitnet>
Subject: Declassifying memory

        From: K6QJ@CORNELLA
        Subject: Declassifying floppies and winchester disks

        Please pardon my ignorance on the topic, but why  couldn't a disk
        (floppy or winchester) just be re-formatted and verified blank?  What
        method(s) does the NSA approve for declassifying disks?

It's not that easy.  The data tracks on a disk are actually wider than the
data stream that is written on them.  When information is written on a track
on a disk, there is some slop which causes some data to be visible outside of
the centerline on the track.  This is how offset recovery works on disk drives
which support it.  Reformatting the disk doesn't erase the entire track, but
only the data portion of the track.  It is conceivable that a disk drive with
a head positioning mechanism of sufficient precision could be built, and used
to recover data from the "sides" of the track.  How much information, or how
useful the information is is a moot point.

I can't really address what methods the NSA approves for declassifying
disks because I really don't understand them fully.  I think that they
involve multiple passes with multiple bit patterns, but again I'm not
really sure.  Maybe someone out there could clear this up?

For the US DOE machines that I'm familiar with that process classified
data that disks are not declassified;  they are destroyed as classified
waste (this includes trashed RA81 HDAs).

          This reminds me of something I heard a while back:  after a program
        finished processing classified data, the entire RAM would have to have
        zeros written to it several times to make sure the data was gone and
        wouldn't come back.  Doesn't make much sense for RAM, but I could see
        such a specification for magnetic media. Perhaps this dates back to
        the days of core memory...

It does indeed date back to the days of core memory.  US DOE machines
which process classified data and have semiconductor memory cannot have
battery backup.  It is also sufficient to power the memory off and back
on again in those machines to declassify (the term they use is "sanitize")
them.

gkn

---------------------------------------
Arpa:   GKN%SDSC.BITNET@WISCVM.WISC.EDU
USPS:   Gerard K. Newman
        San Diego Supercomputer Center
        P.O. Box 85608
        San Diego, CA  92138
AT&T:   (619) 455-5076

Date: Thu, 12 Jun 86 03:24:54 edt
From: Scott Brim <swb@DEVVAX.TN.CORNELL.edu>
Subject: Re:  Declassifying memory

The CIA does big disk packs with an inCREdibly powerful magnet.

Date: Mon, 16 Jun 86 02:47:48 edt
From: Michael Barker <mbarker@BBNZ.arpa>
Subject: re: declassifying (long ~7000 char)

(apologies on the length - I got carried away)

Some recent netmail quotes:

>Please pardon my ignorance on the topic, but why couldn't a disk
>(floppy or winchester) just be re-formatted and verified blank?  What
>method(s) does the NSA approve for declassifying disks?

NSA does not approve methods for declassifying disks except for their
own classified information.  They do, however, recommend methods.  The
individual services and agencies ("the classifying authority") are
responsible for selecting their own methods.  Normally this means that
they use at least the NSA recommended methods and may go beyond that.

>How much information, or how
>useful the information is is a moot point.

see discussion below.

>I can't really address what methods the NSA approves for declassifying
>disks because I really don't understand them fully.  I think that they
>involve multiple passes with multiple bit patterns, but again I'm not
>really sure.  Maybe someone out there could clear this up?

>disks are not declassified;  they are destroyed as classified
>waste (this includes trashed RA81 HDAs).

>This reminds me of something I heard a while back:  after a program
>finished processing classified data, the entire RAM would have to have
>zeros written to it several times to make sure the data was gone and
>wouldn't come back.  Doesn't make much sense for RAM, but I could see
>such a specification for magnetic media. Perhaps this dates back to
>the days of core memory...

>It does indeed date back to the days of core memory....  It is also
>sufficient to power the memory off and back on again in those machines
>to declassify (the term they use is "sanitize") them.

well... yes and no.

It's been a while since I had to write a program to sanitize either a
disk or memory, but I think I can summarize the main principles.  First,
the level of the information being protected is very much a key to
determining the required methods of sanitizing disks and memory.  Some
information is considered more sensitive than other information.  The
sensitivity of the information translates fairly directly into an
estimate of the level of effort that a hypothetical "foe" would put into
trying to get the information.  There is also an "aging" factor to
consider - e.g. today's negotiations between Intergalactic Boredom
Masters and Village Bankers may be part of tomorrow's stock market
report, while negotiations between Normally Strange Agency and Circular
Information Agency may be sensitive for a very long time.  Physical
security and other measures help to determine the "window of
vulnerability" - e.g. can the "foe" get to the terminal, take the
boards, etc.  All of these factors are used in estimating the potential
threat.

The trick, then, is to make the sanitizing process effective against the
estimated threat.  To put it another way, you want to make the cost of
recovering the data higher than the estimated value of the data - given
that the "foe" is allowed to use any methods available to recover the
data.  When the estimated threat is very high, the measures to be
protected against can involve "unreasonable" problems - e.g.  dynamic
RAM does have some "memory" of data even after power off if the "foe" is
willing to do very odd things to get the data back.

Second, the sanitizing process depends on what you're sanitizing for -
e.g. sanitizing for a temporary visit by uncleared managers may simply
mean putting classified storage in safes and zeroing memory by turning
it off and on, while sanitizing for removal from the cleared facility
may mean physical destruction.

Third, sanitizing is just part of an entire security system, which
includes a number of other elements like physical security.

Fourth, different types of storage, different services and agencies, and
random variations in the security climate require different procedures -
check with your Contracting Office's Technical Representative (COTR),
security personnel, and the latest doctrine, procedures, and standards
for your project that you can find.  Ultimately, the security office
will have to rule on whether the methods you have provided are adequate,
and (since they are responsible for it), you will have to explain to
them why these methods are enough.

Note that it is not enough to say "disks" or "memory" when you are
trying to determine the threat.  You usually have to specify exactly
what kind of storage you are dealing with.  Core memory had some
specific problems, but modern dynamic RAM also has some memory under the
right circumstances.  In at least one project, the exact chip
specification had to be given to the government personnel - and after a
while they came back with a report on how long data could stay in this
chip before it "learned" it.  The report recommended moving data in
memory during operation to avoid giving the chips a chance to retain it,
and specified a clearing procedure.  Nice to know your tax dollars
produced that.  Basically, given physical access to RAM, it is possible
(through extra-ordinary methods) to recover data even after the power
has been turned off, and to some extent after other data has been
written to it.  Therefore, if the threat is high, you may have to take
extra-ordinary measures.

  For most data storage, depending on the estimated threat level, the
basic method boils down to:

    a.  a program that runs stand-alone (NO SYSTEM SERVICES - DIRECT
HARDWARE INTERFACES ONLY).  Typically assembly language, verified and
protected from changes, etc.  e.g. this program must be loaded from a
special protected storage place.

    b.  write and read N times bit patterns with verification each time
that the pattern matched (NOT CRC or checksum - bit by bit, slowly it
ran).  N is usually a default minimum and user selectable for larger
values.  Any failure to match may require that the program start over at
the beginning.

    c.  use a default fixed bit pattern and its complement, a user
supplied bit pattern and its complement, or a sequence of bit patterns
and their complements.  If you've seen descriptions of the exhaustive
memory tests that check for stuck bits, adjacent bits, addressing
problems, etc., you'll have an idea of the kinds of things to try.

    d.  if you have reason to think that there may be some residue (e.g.
track edges, bleed-through into base material, low-level excitation of
the layers, etc.) AND the information is sufficiently sensitive that
someone may use extra-ordinary measures to get it, you may have to
continue protecting the storage at some level even after this.  One
fairly common requirement for removal from a cleared facility is
physical destruction of the media (grind it into itsy-bitsy pieces
and/or heat it up, making it harder to put back together).  Of course,
if you are just trying to protect it while an uncleared person does PM,
it may be sufficient to zero it - but you can't let them take the
storage away with them.

    hope this clears up some points
    mike

Date: Fri, 20 Jun 86 05:23:37 edt
From: Douglas Humphrey <deh@ENEEVAX.UMD.edu>
Subject: Re:  Declassifying memory

>The CIA does big disk packs with an inCREdibly powerful magnet.

Are the packs still useful after this, or do they do this as part
of the procedure to destroy them ? Though most of a disk pack is 
non-ferous metal, the bolts that hold the platters and seperators
together are steel, and could pick up a serious magnetic bias if
exposed to a really large (whatever that is) magnet. This would 
render the pack useless for a number of reasons. 

The method used seems to vary greatly depending on the classification
level of the data being protected, the media it is on, and so on.
If the pack were to be used again for data of similar or greater 
security level, then maybe a good erasure would be all that is needed,
except in cases such as SCI.

Still, if the media is going to be released from physical security, 
say to be sold at a DPDO auction, then I would vote for it to be 
destroyed and take no chances. 

Doug
Digital Express Inc.

Date: Sat, 28 Jun 86 23:30:45 edt
From: Donna Stevens <dys%b@LANL.arpa>
Subject: Re:  Declassifying memory

the current requirement (as i understand it) is to overwrite the entire
disk with zeros, overwrite with ones, and then overwrite with a random
pattern of alphanumeric characters.  we prefer, however, to degauss the
ones that are too expensive to simply destroy--"approved" degaussers
and degaussing wands are available.  just fyi.

Date: Fri, 11 Jul 86 17:30:26 edt
From: "Henry N. Holtzman" <holtzman@MEDIA-LAB.arpa>
Subject: Re:  Declassifying memory

/***** media-lab:security / dys%b /  7:21 am  Jun 28, 1986*/
Date: Wed, 18 Jun 86 14:53:33 mdt
From: dys%b@LANL.ARPA (Donna Stevens)

we prefer, however, to degauss the ones that are too expensive to
simply destroy--"approved" degaussers and degaussing wands are
available.
/* ---------- */

I think it needs to be pointed out to the (perhaps) unsuspecting
public that most "expensive" disk packs have one side of one platter
formatted with servo information by the factory.  You need a special
drive to write this info.  Therefor, in most situations, for most
people, "degaussing disk packs that are too expensive to destroy" is
somewhat self contradicting.

This is also true of much winchester non-removable media available.
Except, of course, there is no way to toss the pack and use a
different one.

-Henry

Date: Sat, 12 Jul 86 04:18:33 edt
From: HENRY DREIFUS <dreifus@WHARTON-10.arpa>

For many, it has been and still is, the easiest to simply destroy the
media.  It reduces risk and is most definitely secure.  Typically,
magnetic tape is incinerated.  There are some who shread their floppy
disks - a preferred method of destruction, and disk packs are broken down, 
heat treated and then scraped.  Core memories - which are still widely in
use around the world - are physically destroyed.  MOS and other semi-
conductor memories are subjected to multiple write/re-write cycles,
or are squib'd (physically destroyed using thermite explosive charges).
Smart-cards and other media are shreaded (see floppy disks).  Optical
media is typically burned or shreaded - depending on the format.

Date: Fri, 18 Jul 86 12:39:20 edt
From: Donna Stevens <dys%b@LANL.arpa>
Subject: Re:  Declassifying memory

We are aware that servo information is on one side of one platter; it
does not matter.  When we degauss a disk pack, *EVERYTHING* is grunched,
including the servo information.  So this is not a self-contradicting
statement.  The approved degaussers perform (provably) such that the
disks can be released to the vendors for repair/re-use and, at $7-8K
per disk, this can be a substantial savings for the big systems.

The Winchesters are, indeed, a problem, and I have been very interested in
net information on clearing them.

Date: Thu, 24 Jul 86 11:48:13 edt
From: "Keith F. Lynch" <KFL%MX.LCS.MIT.EDU@MC.LCS.MIT.edu>
Subject: Degaussing

    From: dys%b@LANL.ARPA (Donna Stevens)

    We are aware that servo information is on one side of one platter; it
    does not matter.  When we degauss a disk pack, *EVERYTHING* is grunched,
    including the servo information.

  This does not hurt magnetic tapes and (standard) floppies.  After
being degaussed they can be initialized and used as if they were new.  
I didn't know this wouldn't work for hard disks (they won't fit in
our degausser) but I know some floppies, for instance Lanier word
processor floppies, are unusable after being degaussed.

    The Winchesters are, indeed, a problem, and I have been very interested
    in net information on clearing them.

  Perhaps the whole sealed Winchester unit could be placed in a large
enough degausser.  I did this with a cassette player once, to erase the
tape as it was being played.  Unfortunately, the permanent magnet in the
speaker and the permanent magnet that is used to erase tapes when you
record over them were also degaussed.  So make sure the Winchester unit
contains no permanent magnets before you try this.
								...Keith

Date: Wed, 30 Jul 86 06:32:33 edt
From: Larry Hunter <hunter@YALE.arpa>
Subject: Re: Degaussable disks

    If I were to design such a beast, I'd make the formatting/alignment
    information permanently recorded OPTICALLY (not necessarily with
    laser techniques) so that the whole thing could be degaussed without
    destroying formatting info.
    
These are called hard-sectored disks (they have holes punched in them 
to mark sectors) and are basically an old technology.  I'm not sure
why everybody seems to have gone to soft(ware) sectored disks, but
I know Priority One Electronics in LA (and probably lots of other
people, too) sell hard-sector disks and drives.  Anybody still using
those things out there?

                                    Larry Hunter
                                    HUNTER@YALE.ARPA
-------


Date: Wed, 30 Jul 86 12:05:53 edt
From: Douglas Humphrey <deh@ENEEVAX.UMD.edu>
Subject: Re:  Declassifying memory

The idea of having the built in degausing is an interesting way to go. 
I'll bet that the Soviets would go for it, but they would be more comfortable
with a similar system that lowers a small set of files down onto the 
disk surface, producing great clouds of oxide, powerful screeching 
noises, and other asorted things.... 

Sounds like a lot of fun if someone else is paying .....

Doug

Date: Wed, 30 Jul 86 12:31:21 edt
From: Michael Kharitonov <misha@ERNIE.BERKELEY.edu>
Subject: Re:  Degaussing

DO NOT repeat DO NOT try deguassing a complete winchester HDU (head disk unit)
as they contain lots of items which should not be exposed to large magnetic
fields. These include: Actuater magnets, head/preamp assys. due to large
voltages generated by the field interacting with the head coil.,and in many
cases magnetic motor components.  There are two other reasons not to do so.
One, is that is is extremely easy to leave portions of the unit semi-permanently
magnetized.  If this were to occur, lets say, to a item near the disk surface,
you would be plagued with later self-erasure of the data tracks.  The second 
reason, which makes the whole subject somewhat moot, is that virtually all 
winchester of reasonable capacity (I'm not familiar with the smallest ones)
depend upon permanently recorded servo and/or formating information for their
operation.  Erasing this information neccessitates returning th HDU to the
manufacturer for dissambly of the HDU rewriting of the servo data and reassembly
of the HDU.  Thus, you may as well dissemble the HDU and deguass the platters
alone, thereby avoiding destroying other componebnts.  Either way, the HDU
must go back to the MFgr for rebuild.  Bassically you must consider each design
of disk separately and develop, with the mfgr. an appropiate method of clensing.
JR for Misha

Date: Sat, 2 Aug 86 23:16:43 edt
From: Douglas Humphrey <deh@ENEEVAX.UMD.edu>
Subject: Re:  Declassifying memory

Because you destroy the servo information on the packs, they must
then be sent out for re-manufacture so that the servo tracks are
re-recorded on the servo surface. An extra level of security is here,
though most are not aware of it. When packs are re-manufactured, it
is customary to first tear the pack down to componant parts, such as
the hub parts, platters, filters, bolts, etc, send them all to an
inspection station to be examined and verified as compliant with the
manufacturers specs, flush the losing parts, insert other verified
parts of scrap disk packs, and then put it all back together. This is
NEVER done one pack at a time or else it would be too expensive. 
Batches of 10 to 100 packs are done at once. Since there is no regard
for what part came from what pack, the odds that the pack that you 
get back from the re-manufacturer contains more than one or two of 
you original platters are real low. Security through the 'scatter-to-
the-winds' method I guess...

Of course, never send your packs to 'Workers Glory Pack Remanufacturing'
or other similarly named companies.....

Doug

Date: Sat, 9 Aug 86 00:36:01 edt
From: Douglas Humphrey <deh@ENEEVAX.UMD.EDU>
Subject: Re:  Degaussable disks

Some of the new disks from DEC (RA60 for example) have the servo data
interleaved with the data to help keep the termerature variations 
encountered from causing tracking errors. I do not know if this data 
is the ONLY servo data that is there, but it might be interesting
to build a disc drive that would be able to 'lay down its own 
tracks' so to speak. If the servo information could become writable
by the device itself (not real likely I would think) then totaly 
erasing the data surfaces would not ruin the pack.

Banzai !

Doug

Date: Fri, 19 Sep 86 17:04:53 edt
From: timeplex!mrubin@topaz.rutgers.edu
Subject: Erasing magtapes...

I heard on the news the other day that USAF (or perhaps a contractor)
had auctioned off a load of supposedly erased tapes, which turned out
to contain blueprints or some such for C-5A and F-15 planes.
I wonder what fraction of "erased" tapes aren't, and how many KGB
operatives work for companies in the tape recycling business....

Perhaps tape spools could be fitted with the magnetic equivalent of a
"Shockwatch" indicator, which would change color when spun on a tape
drive, and reset when exposed to a bulk eraser?  Then again, the tapes
in question probably got out in the first place because they had never
been inspected.

Index Home About Blog