Post ATBOpPcSPPXWODzC9w by z@videos.lukesmith.xyz
(DIR) More posts by z@videos.lukesmith.xyz
(DIR) Post #ASXXRteU5m57ikVXea by luke@videos.lukesmith.xyz
2023-02-10T15:01:49.895Z
1 likes, 2 repeats
You should know that when you “delete” a file on your computer in your operating system, whether Linux, Windows or Mac, the file is not really deleted or overwritten until the space is needed for new data. This is beneficial when you accidentally delete a file, but is dangerous when you “delete” a sensitive file and falsely feel like you’re safe.Linux has the command shred which overwrites files with random data, which solves this issue. You can also output /dev/urandom or /dev/zero to blank or distort empty space on a drive.Even in the case of encrypted drives, it’s a good idea to use /dev/urandom or obscure unused or previously used space to prevent metadata leakage about how much you’ve stored on the drive or what used to be on it, in a way that could tie you to an important USB drive or computer.00:00 No data’s every really gone!01:49 Gist03:37 Dangers of File Recovery04:50 Good Op-sec05:56 shred to overwrite and delete files08:09 /dev/urandom and /dev/random09:44 Blanking or shuffling drives with randomness11:11 /dev/zero12:22 Encrypted drives can still leak metadata!15:01 Retroactively wiping empty space on an encrypted drive16:12 Benefits and Dangers
(DIR) Post #ASdcaPRVZlb7Twy32O by lumor@videos.lukesmith.xyz
2023-02-13T13:27:42.667Z
0 likes, 0 repeats
Flagged for misinformation. Nice try fed.https://unix.stackexchange.com/questions/593181/is-shred-bad-for-erasing-ssds
(DIR) Post #AT6fuQsLtN31AGbJ5c by z@videos.lukesmith.xyz
2023-02-27T13:51:34.390Z
0 likes, 0 repeats
A substiantally faster way of wiping a disk with sufficiently random data is to temporarily encrypt it and then override it with zeroes, see https://security.stackexchange.com/a/83321 (note that the specific commands are deprecated by now, but the general principle still applies; consult the man pages for cryptsetup). On a weak system with a large disk, this can save hours.
(DIR) Post #ATBOgtzE8Q1bxwZvLU by z@videos.lukesmith.xyz
2023-03-01T20:32:11.835Z
0 likes, 0 repeats
So, by chance I happen to be in a situation where I have to securely erase an old solid state drive. I have done some research and I have two remarks on that which you may find helpful: (1) As Lumor has hinted at, tools like shred or so do little to nothing to securely erase a particular file on solid state drives. This is because of the controller of such a drive, that handles the actual writes (and thus deletions): Blocks wear out quite quickly on solid state drives, which is why most, if not all, controllers implement wear leveling. Whenever a file is overwritten, instead of writing over the already allocated blocks, free blocks are written if possible and their corresponding logical block addresses (of the old, allocated blocks) are just remapped to the respective new ones (of the new, freshly written blocks). The data in the old, allocated blocks is never overwritten. Instead the drive merely suffers more (meaningless) wear. Thus: **Securely erasing *specific* files on a solid state drive is impossible**. None of the above applies to hard disk drives. (2) Securely “erasing” entire solid state drives, however, *is* possible, but only indirectly so: (a) Most securely, one encrypts the entire drive to begin with. “Securely erasing” the drive then just amounts to forgetting the key. Whichever cryptographic tool one has used for doing so, one can try to use its specific commands for erasing the keys or the entire encryption header on the drive, but by the above point (1), it seems to me that there is no guarantee that the key will actually be erased (yet perhaps there is some benefit to it, like making it harder to find the actual key on the drive). (b) Manufacturers may actually implement an implicit encryption themselves in the controller of the drive. In this case, the controller of the drive once generates a key, which it uses to encrypt and decrypt all data written to and read from the drive. Generally, a hardware feature, called “secure erase”, is then offered to –actually erase– said key and generate a new one instead, rendering all previously written data unreadable. See https://superuser.com/a/856491 for more.Since you try to educate people on proper privacy and data security, please make an update! Thanks, Luke!
(DIR) Post #ATBOlJ6mfrHX2RDJWi by z@videos.lukesmith.xyz
2023-03-01T20:33:00.034Z
0 likes, 0 repeats
So, by chance I happen to be in a situation where I have to securely erase an old solid state drive. I have done some research and I have two remarks on that which you may find helpful: (1) As Lumor has hinted at, tools like shred or so do little to nothing to securely erase a particular file on solid state drives. This is because of the controller of such a drive, that handles the actual writes (and thus deletions): Blocks wear out quite quickly on solid state drives, which is why most, if not all, controllers implement wear leveling. Whenever a file is overwritten, instead of writing over the already allocated blocks, free blocks are written if possible and their corresponding logical block addresses (of the old, allocated blocks) are just remapped to the respective new ones (of the new, freshly written blocks). The data in the old, allocated blocks is never overwritten. Instead the drive merely suffers more (meaningless) wear. Thus: **Securely erasing *specific* files on a solid state drive is impossible**. None of the above applies to hard disk drives. (2) Securely “erasing” entire solid state drives, however, *is* possible, but only indirectly so: (a) Most securely, one encrypts the entire drive oneself to begin with. “Securely erasing” the drive then just amounts to forgetting the key. Whichever cryptographic tool one has used for doing so, one can try to use its specific commands for erasing the keys or the entire encryption header on the drive, but by the above point (1), it seems to me that there is no guarantee that the key will actually be erased (yet perhaps there is some benefit to it, like making it harder to find the actual key on the drive). (b) Manufacturers may actually implement an implicit encryption themselves in the controller of the drive. In this case, the controller of the drive once generates a key, which it uses to encrypt and decrypt all data written to and read from the drive. Generally, a hardware feature, called “secure erase”, is then offered to –actually erase– said key and generate a new one instead, rendering all previously written data unreadable. See https://superuser.com/a/856491 for more.Since you try to educate people on proper privacy and data security, please make an update! Thanks, Luke!
(DIR) Post #ATBOpPcSPPXWODzC9w by z@videos.lukesmith.xyz
2023-03-01T20:33:44.577Z
0 likes, 0 repeats
So, by chance I happen to be in a situation where I have to securely erase an old solid state drive. I have done some research and I have two remarks on that which you may find helpful: (1) As Lumor has hinted at, tools like shred or so do little to nothing to securely erase a particular file on solid state drives. This is because of the controller of such a drive, that handles the actual writes (and thus deletions): Blocks wear out quite quickly on solid state drives, which is why most, if not all, controllers implement wear leveling. Whenever a file is overwritten, instead of writing over the already allocated blocks, free blocks are written if possible and their corresponding logical block addresses (of the old, allocated blocks) are just remapped to the respective new ones (of the new, freshly written blocks). The data in the old, allocated blocks is never overwritten. Instead the drive merely suffers more (meaningless) wear. Thus: **Securely erasing *specific* files on a solid state drive is impossible**. None of the above applies to hard disk drives. (2) Securely “erasing” entire solid state drives, however, *is* possible, but only indirectly so: (a) Most securely, one encrypts the entire drive oneself to begin with. “Securely erasing” the drive then just amounts to forgetting the key. Whichever cryptographic tool one has used for doing so, one can try to use its specific commands for erasing the keys or the entire encryption header on the drive, but by the above point (1), it seems to me that there is no guarantee that the key will actually be erased (yet perhaps there is some benefit to it, like making it harder to find on the drive). (b) Manufacturers may actually implement an implicit encryption themselves in the controller of the drive. In this case, the controller of the drive once generates a key, which it uses to encrypt and decrypt all data written to and read from the drive. Generally, a hardware feature, called “secure erase”, is then offered to –actually erase– said key and generate a new one instead, rendering all previously written data unreadable. See https://superuser.com/a/856491 for more.Since you try to educate people on proper privacy and data security, please make an update! Thanks, Luke!
(DIR) Post #ATBP1hx24qlUihTO1Q by z@videos.lukesmith.xyz
2023-03-01T20:35:57.894Z
0 likes, 0 repeats
So, by chance I happen to be in a situation where I have to securely erase an old solid state drive. I have done some research and I have two remarks on that which you may find helpful: (1) As Lumor has hinted at, tools like shred or so do little to nothing to securely erase a particular file on solid state drives. This is because of the controller of such a drive, that handles the actual writes (and thus deletions): Blocks wear out quite quickly on solid state drives, which is why most, if not all, controllers implement wear leveling. Whenever a file is overwritten, instead of writing over the already allocated blocks, free blocks are written if possible and their corresponding logical block addresses (of the old, allocated blocks) are just remapped to the respective new ones (of the new, freshly written blocks). The data in the old, allocated blocks is never overwritten. Instead the drive merely suffers more (meaningless) wear. Thus: **Securely erasing *specific* files on a solid state drive is impossible**. None of the above applies to hard disk drives. (2) Securely “erasing” entire solid state drives, however, *is* possible, but only indirectly so: (a) Most securely, one encrypts the entire drive oneself to begin with. “Securely erasing” the drive then just amounts to forgetting the key (and its passphrase). Whichever cryptographic tool one has used for doing so, one can try to use its specific commands for erasing the keys or the entire encryption header on the drive, but by the above point (1), it seems to me that there is no guarantee that the key will actually be erased (yet perhaps there is some benefit to it, like making it harder to find on the drive); in any case, as long one has used a strong passphrase for the key itself, it should not matter whether it has been erased or not – it’s indecipherable, hence the entire encrypted drive is indecipherable as well. (b) Manufacturers may actually implement an implicit encryption themselves in the controller of the drive. In this case, the controller of the drive once generates a key, which it uses to encrypt and decrypt all data written to and read from the drive. Generally, a hardware feature, called “secure erase”, is then offered to –actually erase– said key and generate a new one instead, rendering all previously written data unreadable. See https://superuser.com/a/856491 for more.Since you try to educate people on proper privacy and data security, please make an update! Thanks, Luke!
(DIR) Post #ATBPCkHZkXcP8ULS0O by z@videos.lukesmith.xyz
2023-03-01T20:37:51.388Z
0 likes, 0 repeats
So, by chance I happen to be in a situation where I have to securely erase an old solid state drive. I have done some research and I have two remarks on that which you may find helpful: (1) As Lumor has hinted at, tools like shred or so do little to nothing to securely erase a particular file on solid state drives. This is because of the controller of such a drive, that handles the actual writes (and thus deletions): Blocks wear out quite quickly on solid state drives, which is why most, if not all, controllers implement wear leveling. Whenever a file is overwritten, instead of writing over the already allocated blocks, free blocks are written if possible and their corresponding logical block addresses (of the old, allocated blocks) are just remapped to the respective new ones (of the new, freshly written blocks). The data in the old, allocated blocks is never overwritten. Instead the drive merely suffers more (meaningless) wear. Thus: **Securely erasing *specific* files on a solid state drive is impossible**. None of the above applies to hard disk drives. (2) Securely “erasing” entire solid state drives, however, *is* possible, but only indirectly so: (a) Most securely, one encrypts the entire drive oneself to begin with. “Securely erasing” the drive then just amounts to forgetting the key (and its passphrase). Whichever cryptographic tool one has used for doing so, one can try to use its specific commands for erasing the keys or the entire encryption header on the drive, but by the above point (1), it seems to me that there is no guarantee that the key will actually be erased (yet perhaps there is some benefit to it, like making it harder to find on the drive); in any case, as long one has used a strong passphrase for the key itself, it should not matter whether it has been erased or not – it’s indecipherable, hence the entire encrypted drive is indecipherable as well. (b) Manufacturers may actually implement an implicit encryption themselves in the controller of the drive. In this case, the controller of the drive once generates a key (at initial operation of the drive), which it uses to encrypt and decrypt all data written to and read from the drive. Generally, a hardware feature, called “secure erase”, is then offered to –actually erase– said key and generate a new one instead, rendering all previously written data unreadable. However, one has to trust the manufacturer for this, which is why (a) is preferable. Hence, this is also an argument for *always encrypting your solid state disks* if they are to contain sensitive data. See https://superuser.com/a/856491 for more.Since you try to educate people on proper privacy and data security, please make an update! Thanks, Luke!
(DIR) Post #ATBPrGEwLs63pkQoeO by z@videos.lukesmith.xyz
2023-03-01T20:45:16.857Z
0 likes, 0 repeats
So, by chance I happen to be in a situation where I have to securely erase an old solid state drive. I have done some research and I have three remarks on that which you may find helpful: (1) As Lumor has hinted at, tools like shred or so do little to nothing to securely erase a particular file on solid state drives. This is because of the controller of such a drive, that handles the actual writes (and thus deletions): Blocks wear out quite quickly on solid state drives, which is why most, if not all, controllers implement wear leveling. Whenever a file is overwritten, instead of writing over the already allocated blocks, free blocks are written if possible and their corresponding logical block addresses (of the old, allocated blocks) are just remapped to the respective new ones (of the new, freshly written blocks). The data in the old, allocated blocks is never overwritten. Instead the drive merely suffers more (meaningless) wear. Thus: **Securely erasing *specific* files on a solid state drive is impossible** (without directly tinkering with the drive). None of the above applies to hard disk drives. (2) Securely “erasing” entire solid state drives, however, *is* possible, but only indirectly so: (a) Most securely, one encrypts the entire drive oneself to begin with. “Securely erasing” the drive then just amounts to forgetting the key (and its passphrase). Whichever cryptographic tool one has used for doing so, one can try to use its specific commands for erasing the keys or the entire encryption header on the drive, but by the above point (1), it seems to me that there is no guarantee that the key will actually be erased (yet perhaps there is some benefit to it, like making it harder to find on the drive); in any case, as long one has used a strong passphrase for the key itself, it should not matter whether it has been erased or not – it’s indecipherable, hence the entire encrypted drive is indecipherable as well. (b) Manufacturers may actually implement an implicit encryption themselves in the controller of the drive. In this case, the controller of the drive once generates a key (at initial operation of the drive), which it uses to encrypt and decrypt all data written to and read from the drive. Generally, a hardware feature, called “secure erase”, is then offered to –actually erase– said key and generate a new one instead, rendering all previously written data unreadable. However, one has to trust the manufacturer for this, which is why (a) is preferable. Hence, this is also an argument for *always encrypting your solid state disks* if they are to contain sensitive data. (3) As a last remark, it is apparently possible to physically remove the controller and directly access the solid state drive (with certain hardware), giving one full control over the hardware, making targeted writes/deletions possible – at least in principle: I haven’t researched this, but one wonders how would find the relevant data without the controller mapping logical block addresses to physical ones. I presume one has to be technically quite sophisticated for doing something like this. In any case, that method sounds infeasable for a typical user.See https://superuser.com/a/856491 for more.Since you try to educate people on proper privacy and data security, please make an update! Thanks, Luke!
(DIR) Post #ATBROKqeL6N9dVP9ii by z@videos.lukesmith.xyz
2023-03-01T21:02:24.284Z
0 likes, 0 repeats
So, by chance I happen to be in a situation where I have to securely erase an old solid state drive. I have done some research and I have three remarks on that which you may find helpful: (1) As Lumor has hinted at, tools like shred or so do little to nothing to securely erase a particular file on solid state drives. This is because of the controller of such a drive, that handles the actual writes (and thus deletions): Blocks wear out quite quickly on solid state drives, which is why most, if not all, controllers implement wear leveling. Whenever a file is overwritten, instead of writing over the already allocated blocks, free blocks are written if possible and their corresponding logical block addresses (of the old, allocated blocks) are just remapped to the respective new ones (of the new, freshly written blocks). The data in the old, allocated blocks is never overwritten. Instead the drive merely suffers more (meaningless) wear. Thus: **Securely erasing *specific* files on a solid state drive is impossible** (without directly tinkering with the drive or relying on the manufacturer). One can, however, use blkdiscard to at least make the solid state drive trim or unmap the corresponding allocated blocks; in some drives this is then even followed by writing zeroes to the respective blocks – in any case the controller then removes the respective logical blocks addresses, making it impossible to access the underlying data without physically accessing the drive. None of the above applies to hard disk drives. (2) Securely “erasing” entire solid state drives, however, *is* possible, but only indirectly so: (a) Most securely, one encrypts the entire drive oneself to begin with. “Securely erasing” the drive then just amounts to forgetting the key (and its passphrase). Whichever cryptographic tool one has used for doing so, one can try to use its specific commands for erasing the keys or the entire encryption header on the drive, but by the above point (1), it seems to me that there is no guarantee that the key will actually be erased (yet perhaps there is some benefit to it, like making it harder to find on the drive); in any case, as long one has used a strong passphrase for the key itself, it should not matter whether it has been erased or not – it’s indecipherable, hence the entire encrypted drive is indecipherable as well. (b) Manufacturers may actually implement an implicit encryption themselves in the controller of the drive. In this case, the controller of the drive once generates a key (at initial operation of the drive), which it uses to encrypt and decrypt all data written to and read from the drive. Generally, a hardware feature, called “secure erase”, is then offered to –actually erase– said key and generate a new one instead, rendering all previously written data unreadable. However, one has to trust the manufacturer for this, which is why (a) is preferable. Hence, this is also an argument for *always encrypting your solid state disks* if they are to contain sensitive data. (3) As a last remark, it is apparently possible to physically remove the controller and directly access the solid state drive (with certain hardware), giving one full control over the hardware, making targeted writes/deletions possible – at least in principle: I haven’t researched this, but one wonders how would find the relevant data without the controller mapping logical block addresses to physical ones. I presume one has to be technically quite sophisticated for doing something like this. In any case, that method sounds infeasable for a typical user.See https://superuser.com/a/856491 and https://unix.stackexchange.com/a/659938 for more.Since you try to educate people on proper privacy and data security, please make an update! Thanks, Luke!
(DIR) Post #ATBRWkjxxNBoFwIBm4 by z@videos.lukesmith.xyz
2023-03-01T21:03:59.127Z
0 likes, 0 repeats
So, by chance I happen to be in a situation where I have to securely erase an old solid state drive. I have done some research and I have three remarks on that which you may find helpful: (1) As Lumor has hinted at, tools like shred or so do little to nothing to securely erase a particular file on solid state drives. This is because of the controller of such a drive, that handles the actual writes (and thus deletions): Blocks wear out quite quickly on solid state drives, which is why most, if not all, controllers implement wear leveling. Whenever a file is overwritten, instead of writing over the already allocated blocks, free blocks are written if possible and their corresponding logical block addresses (of the old, allocated blocks) are just remapped to the respective new ones (of the new, freshly written blocks). The data in the old, allocated blocks is never overwritten. Instead the drive merely suffers more (meaningless) wear. Thus: **Securely erasing *specific* files on a solid state drive is impossible** (without directly tinkering with the drive or relying on the manufacturer). One can, however, use blkdiscard to at least make the solid state drive trim or unmap the corresponding allocated blocks; in some drives this is then even followed by writing zeroes to the respective blocks (that is, if the manufacturers claims so and keeps his promise) – in any case the controller then removes the respective logical block addresses, making it impossible to access the underlying data without physically accessing the drive. None of the above applies to hard disk drives. (2) Securely “erasing” entire solid state drives, however, *is* possible, but only indirectly so: (a) Most securely, one encrypts the entire drive oneself to begin with. “Securely erasing” the drive then just amounts to forgetting the key (and its passphrase). Whichever cryptographic tool one has used for doing so, one can try to use its specific commands for erasing the keys or the entire encryption header on the drive, but by the above point (1), it seems to me that there is no guarantee that the key will actually be erased (yet perhaps there is some benefit to it, like making it harder to find on the drive); in any case, as long one has used a strong passphrase for the key itself, it should not matter whether it has been erased or not – it’s indecipherable, hence the entire encrypted drive is indecipherable as well. (b) Manufacturers may actually implement an implicit encryption themselves in the controller of the drive. In this case, the controller of the drive once generates a key (at initial operation of the drive), which it uses to encrypt and decrypt all data written to and read from the drive. Generally, a hardware feature, called “secure erase”, is then offered to –actually erase– said key and generate a new one instead, rendering all previously written data unreadable. However, one has to trust the manufacturer for this, which is why (a) is preferable. Hence, this is also an argument for *always encrypting your solid state disks* if they are to contain sensitive data. (3) As a last remark, it is apparently possible to physically remove the controller and directly access the solid state drive (with certain hardware), giving one full control over the hardware, making targeted writes/deletions possible – at least in principle: I haven’t researched this, but one wonders how would find the relevant data without the controller mapping logical block addresses to physical ones. I presume one has to be technically quite sophisticated for doing something like this. In any case, that method sounds infeasable for a typical user.See https://superuser.com/a/856491 and https://unix.stackexchange.com/a/659938 for more.Since you try to educate people on proper privacy and data security, please make an update! Thanks, Luke!
(DIR) Post #ATIzuajY5JvvocPcoq by yellowarchitect@videos.lukesmith.xyz
2023-03-05T12:32:14.182Z
0 likes, 0 repeats
No one would use video-sharing websites if they didn't support user comments, as comments essentially add all missing/bonus/errata information. Your comment reminded me of this fact. Thanks for writing this wall of text