Re: BugTraq: EFS Win 2000 flaw

[Jeremy Epstein <jepstein () WEBMETHODS COM>]

Russ,

> To the best of my knowledge, Peter Guttman(sp?) has demonstrated for years
> now that there is no form of over-writing which makes any substantial
> difference to the ability to recover previously written data from
> a computer
> hard disk.

You're correct that Peter Gutmann (note spelling) has shown that you can
recover anything, given enough time & money, from an erased disk.  It's not
outrageously expensive or difficult, but it's certainly non-trivial.  But I
don't think that's what the point was.  I think the point was that the data
is NEVER overwritten on disk.  That's much easier than Peter's schemes for
retrieving data.  You don't need any special hardware to do it, unlike
Peter's schemes.

[None of which is to take away from Peter's excellent research...]

> My understanding of current "high security" standards wrt the re-use of
> disks which previously contained classified materials is that they only be
> re-used in similarly classified systems, or, are destroyed beyond any form
> of molecular reconstruction (e.g. melted).

That's generally true, although it depends on how classified the data was.
Disks containing Secret data could be reused for unclassified work with
sufficient overwriting, but Top Secret was never reusable.  That was a few
years ago; it may have changed.

> So to suggest that your perceived EFS flaw can be resolved by over-writing
> is naive. The only solution is to encrypt in memory or use some removable
> partition as the temp space.

Disagree.  Security isn't an absolute.  Overwriting makes it significantly
harder to recover deleted data, although certainly not impossible.  It's
enough of an impediment that it may encourage the attacker to go read
someone else's disk.  And that may be enough, depending on the sensitivity
of the data.

--Jeremy