[clug] Re: More (almost free) stuff. - 3.5" WD 200GB IDE - $10

Sun Sep 7 08:29:42 GMT 2008

steve jenkin wrote:
> Hal Ashburner wrote on 7/9/08 2:36 PM:
>
>   
>> The challenge:
>> http://16systems.com/zero/index.html
>>     
>
> While well-intentioned, if nobody undertakes or meets this challenge, it
> won't tell us any more than "you can't recover zeroed-data for $500".
>   
Hi Steve,
It would tell us slightly more than that, that you can't recover for 
non-labour costs of something significantly above $500.
If one could do it for say $3,000 plus a month's labour it would be 
overwhelmingly tempting as it would likely make you a millionaire inside 
a year performing expensive service for corporates and such. Much safer 
than stealing data from 'erased' disks that could land you in jail.
> 1. University Labs are excluded.
>    Great brains, great equipment and the time to play...
>   
I didn't notice that, as you say that's just stupid.

> 3. If the spooks really can do this, we'll only know in 25-50 years.
>   
Maybe. By definition if we've heard nothing we still won't know.

> Robert Morris (snr) casually mentioned at an AUUG conference (Sydney
> Hilton) that it costs the NSA about $10M to 'do an intercept'. They are
> good at breaking ciphers and cracking codes, and they understand the
> economics of it. Even if that figure has come to $1M over the years,
> they still wouldn't let their trade secrets become public.
>   
Such figures are notoriously rubbery. They're very tough to calculate. 
Do you assign the fixed costs to each interception? Is it the marginal 
cost of one more interception? What do you include in the marginal cost? 
In my experience of such numbers when you probe the foundations you get 
a chain of "these guys said, jill said, barry said, ivan mentioned..."
>
> I don't disagree with the experiment/challenge, but their method is
> fundamentally flawed:
>
> - failure to recover the data doesn't tell us anything new,
>
> - the only useful outcome is if someone actually recovers data from the
> drive (essentially for free) - and if 3 out 3 firms first contacted
> demur, it's highly unlikely anyone will step up for the offered price.
>   
What it tells us is that it's not easy and not cheap at a minimum. So if 
you want to give away old drives at clug using dd is highly likely to be 
good enough to permanently obscure the data.
The test is not the worth of the data vs sale price of the drive, it's 
the perceived value of the data to who you sell it to vs cost to extract it.
I'd go so far as to say for anyone at clug 99%+ perceived value of the 
data is less than $0 because it would be such bad form to even try and 
extract it even if such a thing were possible.
So what we've got is:
No evidence yet presented to support the theory that recovering data 
from a zeroed drive is possible.
A fairly large financial incentive to demonstrate it. (Craploads more 
than the notional $500 which you might not bother to even collect)
And no takers.
Obviously such is not actual proof that recovery from a zeroed drive is 
impossible. It does suggest that the chances of your identity being 
stolen if you zero a hard drive and sell it/give it away  at clug are 
negligible.  At best.
One might not think that good enough for national defense secrets but 
this has never been the case under discussion.
> If it was open to all comers and there was $50M up for grabs, I'd rate
> their chances of getting result (-ve/+ve) as 'good' :-)
I don't understand hard drives beyond the basics of platters, sectors 
and heads. Is there any reason why you think the chances would be good?

Besides all that, my point is that if you've got equipment you're not 
going to use, giving it away to someone who will is a good thing (TM) 
for a whole bunch of reasons. I say do it. Just zero storage media 
before pitching it.

Regards,
Hal