Disks, data and paranoia

I’m currently going through about 15 IDE/ATA  hard disks and wiping them.  I’m using an old machine to do it.  A friend asked if they could have some of them after they’re wiped, for a friend of theirs.  I guess this post is my way of responding and saying no, sorry.

I have no doubt that the data on them is gone.  But, I intend to wipe them, take them outside and hit them a few times with a 4lb lump hammer, and then take them to the local recycling centre.  So the platters will be clean and the devices themselves will be broken.

This isn’t just my data we’re talking about, it’s the personal data of anyone who communicated with me since I started using computers for electronic communications in around 1992.  I don’t think there’s anything, anywhere on any of those disks that could incriminate me or anyone else, or cause any embarrassment, but hell, why take the risk?  When people talked to me on FidoNet, bulletin boards, by e-mail, usenet, IRC, or any other mechanism that may have kept a record on my machine, I bet they weren’t thinking ‘in 17 years, I wonder who’ll be using the disk this is being stored on’.

So anyway, no sorry, you can’t have my old, crusty, IDE disks, I’m destroying them.

The most amusing thing about the process is that the machine I’m using to wipe the disks (with the case off so I can swap drives in and out easily) is clearly dying, sometimes it boots first time (from Darik’s Boot and Nuke media), but most of the time it gives a random combination of beeps and needs another power cycle.  I think it’s the graphic card slowly dying but it’s hard to tell.  So, if the box lives long enough, I’ll finish wiping these disks and then I get to play with my lump hammer.

Proving who you are

Wizards of the Coast provide a mail service where you can send rules queries for their games, including D&D.  This is cool, because it seems no matter how well a rulebook is written there are always some issues which are confusing.

I thought I’d send them a query about a rule – and you have to sign up to their site, okay, I guess that keeps the spam down.  So I started the signup process.  They needed the regular stuff, username, e-mail, date of birth.  My postcode?  Filled them all in – then, three, security questions and one additional question you might get asked on the phone, all required so they can prove who you are if you forget your account details.

Come on.

It’s a forum user ID.  If I answered those questions they’d know more about me than the bloody tax office.  Anyone who did manage to get access to my data would know enough to convince other people they were me.  It’s not like WoTC are running a banking operation or something like that.  I just wanted access to their forums and the option to mail them a rules question.

Clearly, I just made up answers to the questions that I’ll remember but that aren’t true, in fact to simply things I just picked the same answer to all four questions even if it made no sense.  Reducing the point of them having multiple questions.  Sometimes you can have too much security.

Responsible web sites

Most small websites on the ‘net sit on shared hosting of some kind or another  ((this is an educated guess)).  Shared hosting means that a small number of servers handle all the requests for a large number of web sites.  How that’s achieved varies, but the bottom line is that it’s a shared infrastructure.  It’s a bit like living in shared accommodation.  There’s a single door through which everyone gets into the building, then a number of apartments which have their own doors.  But they all share the same electricity supply and water and other utilities.

With shared web hosting, all the traffic comes into the same web host network and web server cluster, and is then handled by all the different web site configurations.  In the same way that there are people who would like to break into your apartment, there are people who’d like to break into your web site to steal stuff, deface it, or to try and gain further access to the shared infrastructure.

Continue reading

Broadcasting your data is asking for trouble

So if you transmit data through the air, such that anyone can read it without any physical security, it’s not a question of if the encryption used it broken, but when.

From ITWorld,

Security researchers say they’ve developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

Clearly you have to assess what you use your wireless for and how likely it is for someone to be listening in, but it’s growing more and more clear that any broadcast technology is going to be broken eventually.


Update 7th November 2008.

It’s not as bad as it first sounded, but it’s still an issue.  Read more here.