Tag: privacy

Hard drive platter spinning

Don’t destroy used hard drives! Wipe them and reuse or sell them with confidence!

The advice to not use a hard drive from eBay is not the best advice. You should fully wipe the drive (a zero fill will do) and then install a new OS on it. The old data will be 100% unrecoverable and you won’t unnecessarily destroy a perfectly good piece of equipment. Please don’t advocate for this kind of wasteful drive destruction.

Yes, a zero fill is more than enough. The “DoD secure wipe” was designed for hard drives from the 80s and early 90s that used FM/MFM/RLL data modulation. Today, drives use [E]PRML and other advanced techniques instead.

Yes, Peter Guttmann wrote a paper about recovering data from hard drives that said you could easily do so, but that was in the era of widespread MFM/RLL drives, and Guttmann himself later walked back his recommendations:

“In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don’t understand that statement, re-read the paper). If you’re using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, “A good scrubbing with random data will do about as well as can be expected”. This was true in 1996, and is still true now.”

Hard drive platter and arm
It’s a miracle that these things work at all.

Quoting Donald Kenney:

“PRML uses a different approach to improving storage density. To permit greater data density, recorded data amplitude is reduced and bits are packed together more closely. The digital signal is then recovered using digital signal processing techniques on the analog data stream from the drive. PRML achieves a 30-40% improvement in storage density over RLL modulation without PRML. EPRML modifies the algorithms used in PRML to achieve additional improvements claimed to be 20-70%.”

The extremely low magnetic amplitude in [E]PRML modulation puts the analog data signal on the platter so close to the noise floor that a DSP is required to apply filters to the noise to recover the data signal. A simple zero fill will push the previous (very weak) signal firmly back into the noise floor. Snatching data from an MFM drive using a scanning tunneling electron microscope relied on the strong amplitude of the data writes being “messy,” as in the magnetic domains of previous writes (sometimes multiple layers of them) would still be detectable “around” the current writes because so much of the surface was influenced by the previous writes that unnecessary “leakage” of the magnetic domains would occur, and subsequent writes wouldn’t necessarily be able to “reach” all of the affected areas.

PRML techniques massively boost data density; doing so makes the margins in which you’d locate this “leaked” data so tight that there isn’t much room for it to exist in the first place, but on top of that, the strength of the write is an order of magnitude weaker. It’s frankly a miracle of modern science that the data so close to the noise floor and with such an insanely tiny amount of surface area can be read back at all. One simple overwrite pass will destroy the data beyond even the abilities of any given three-letter agency to get it back.

So, in short, a one-pass zero-fill of the drive is enough to “sanitize” the data therein. Please don’t throw away or destroy hard drives just because someone else used them before, and if you’re selling a computer, just wipe the drive completely and your now-destroyed data is perfectly safe from prying eyes.

Gab’s Dissenter receives your entire browsing history; bonus: it can be tied to your unique user ID

I fully support the intent behind Gab’s Dissenter platform. The ability to comment on any website is a wonderful move for free speech. What I can’t get behind is the major privacy problem it poses, a problem which unfortunately is very hard to avoid in any “comment on any site” concept.

Gab’s Dissenter stores and retrieves comments by URL. This requires Dissenter to send EVERY URL YOU VISIT out to the Dissenter platform to check for user comments for that URL, and obviously to submit your own comments as well. Since you’ll probably be logged in to Gab to use Dissenter, these URLs may also be sent with your Gab user ID which easily ties them all together. Regardless of what the Terms of Service may say about their data collection and retention policies, there is the possibility that Gab is effectively collecting and storing your entire browsing history while using the Dissenter extensions or app.

Even if they say that they don’t do this sort of collection and retention, you must choose whether or not to trust them. Consider a similar privacy-protecting service: VPNs. Several VPN service providers that claimed to be “no-log VPNs” (meaning they don’t store any information about your activities on their services) have been caught storing logs once police subpoenaed them for logs and they were forced to comply. It’s even possible for data to be retained in places not specifically meant to retain that data; for example, a server debugging log may contain all user requests made during the time period that the debug data was enabled, and that log is then readable to computer hackers/crackers or to law enforcement through a lawful subpoena.

How far are you willing to trust Gab with the data they necessarily must receive from you to keep their service working? It’s your choice. All I want is for you to make an informed choice, not an ignorant one.

It occurred to me shortly after writing this that there is one other possibility, but it’s not really much better. The only other way to do it without sending the URLs directly would be to hash the URL on the client side and send the hash instead, but unlike passwords, an unsalted hash of a (probably public) URL is fairly easy to come up with. Law enforcement, for example, could easily ask Google to provide a hash list of every URL in their database and it’d take Google less than a day to generate such a list. Even a casual hacker could build a simple web spider that follows URLs and hashes them to build that list. It’d be sort of like copy protection: it protects against completely ignorant users making copies, but hackers and pirates will break the protection easily and do as they please. Likewise, any method to conceal the URLs sent to Gab’s Dissenter would only count as obscuring the URL and could be easily cracked. If you think about it, there’s simply no other way to do it: how else can Dissenter know what comments to store and retrieve?

Disable Windows Vista/7/8/8.1 Thumbnail Caches (Privacy, Performance, Paranoia, and Anti-Forensics)

By default, every version of Windows since XP creates thumbnail database files that store small versions of every picture in every folder you browse into with Windows Explorer. These files are used to speed up thumbnail views in folders, but they have some serious disadvantages:

  1. They are created automatically without ever asking you if you want to use them.
  2. Deleting an image file doesn’t necessary delete it from the thumbnail database. The only way to delete the thumbnail is to delete the database (and hope you deleted the correct one…and that it’s not stored in more than one database!)
  3. These files consume a relatively small amount of disk space.
  4. The XP-style (which is also Vista/7/8 style when browsing network shares) “Thumbs.db” and the Windows Media Center “ehthumbs_vista.db” files are marked as hidden, but if you make an archive (such as a ZIP file) or otherwise copy the folder into a container that doesn’t support hidden attributes, not only does the database increase the size of the container required, it also gets un-hidden!
  5. If you write software, it can interfere with software version control systems. They may also update the timestamp on the folder they’re in, causing some programs to think your data in the folder has changed when it really hasn’t.
  6. If you value your privacy (particularly if you handle any sort of sensitive information) these files leave information behind that can be used to compromise that privacy, especially when in the hands of anyone with even just a casual understanding of forensic analysis, be it the private investigator hired by your spouse or the authorities (police, FBI, NSA, CIA, take your pick).

To shut them off completely, you’ll need to change a few registry values that aren’t available through normal control panels (and unavailable in ANY control panels on any Windows version below a Pro, Enterprise, or Ultimate version). Fortunately, someone has already created the necessary .reg files to turn the local thumbnail caches on or off in one shot. The registry file data was posted by Brink to SevenForums. The files at that page will disable or enable this feature locally. These will also shut off (or turn on) Windows Vista and higher creating “Thumbs.db” files on all of your network drives and shares.

If you want to delete all of the “Thumbs.db” style files on a machine that has more than a couple of them, open a command prompt (Windows key + R, then type “cmd” and hit enter) and type the following commands (yes, the colon after the “a” is supposed to be followed by an empty space):

cd \

del /s /a: Thumbs.db

del /s /a: ehthumbs_vista.db

This will enter every directory on the system hard drive and delete all of the Thumbs.db files. You may see some errors while this runs, but such behavior is normal. If you have more drives that need to be cleaned, you can type the drive letter followed by a colon (such as “E:” if you have a drive with that letter assigned to it, for example) and hit enter, then repeat the above two commands to clean them.

The centralized thumbnail databases for Vista and up are harder to find. You can open the folder quickly by going to Start, copy-pasting this into the search box with CTRL+V, and hitting enter:

%LOCALAPPDATA%\Microsoft\Windows\Explorer

Close all other Explorer windows that you have open to unlock as many of the files as possible. Delete everything that you see with the word “thumb” at the beginning. Some files may not be deletable; if you really want to get rid of them, you can start a command prompt, start Task Manager, use it to kill all “explorer.exe” processes, then delete the files manually using the command prompt:

cd %LOCALAPPDATA%\Microsoft\Windows\Explorer

del thumb*

rd /s thumbcachetodelete

When you’re done, either type “explorer” in the command prompt, or in Task Manager go to File > New Task (Run)… and type “explorer”. This will restart your Explorer shell so you can continue using Windows normally.

Service providers that store user data need to GIVE USERS THE KEYS!

Comments on this post are welcome and strongly encouraged.

Service providers such as Gmail, Yahoo, Facebook, Twitter…all of these, they need to offer users a data encryption option that does the following:

  1. It disables the password recovery system, so that no one else can exploit it or any weak links to it to get into our accounts, but if we “forget” our password then we can’t either; and
  2. Our passphrase encrypts a larger key which encrypts our non-public data on their servers with 256-bit AES encryption.

In light of the fact that General Petraeus was brought down by someone other than him and a personally trusted party accessing the data in his Gmail account, I think the users need to be handed the keys to our accounts and service providers need to give them up. By far the largest method for hackers to steal highly important or sensitive data is the “forgot password?” link at any given website.Our email accounts are almost universally used as a skeleton key to our other accounts. Mat Honan’s Gmail, Twitter, and Apple ID accounts were all hacked into in the space of an hour this way, and the hackers deleted all of the data on his MacBook, iPhone, and iPad when they got in.

For services that offer this encryption option, there should be an additional option to unlink all email accounts as well. There are some services that exist already which allow you to open an account for which an email account is optional, but they’re not very common and typically are also obscure and small.

Obviously, this is something that won’t do much with services like Facebook and Twitter, because in order for the service to show tweets or posts to anyone else, they have to be readable by the service provider itself. However, if you’re on Facebook and change a post or picture to be visible to “only me,” the media should be encrypted with your encryption key, then all unencrypted copies deleted from the provider’s servers, including its content delivery network.

Another feature that absolutely needs to be in place is for all mail service providers to support mail delivery and hopping over SSL or TLS, so that plaintext email does not go over the wire without any encryption. If email is encrypted on Gmail and encrypted on Yahoo! Mail, then the end-to-end link between them also needs to have encryption. Ultimately, the amount of time an email spends stored or transmitted as plaintext should be minimized. It would also be nice if mail applications such as Mozilla Thunderbird had built-in encryption for the entire user profile (stored/locally cached mail, stored account passwords, configuration settings, etc.) utilizing a master password, though it seems that most people point to workarounds that don’t ask Mozilla to add such support directly into Thunderbird. (What if I don’t want to install full disk encryption software, or can’t do so, or want to use Thunderbird in a portable fashion on a flash drive?)

Yet another feature that would be very nice to have is a “lockdown” feature, where you can log into your encryption-enabled account on a service like Facebook or Twitter, go to some sort of security settings page, press a button called “lock down account,” confirm that you really meant to lock down the account, and all media that is stored in your account automatically gets changed to “only me” privacy and encrypted in one shot, plus any attached “escrow” methods of password retrieval such as cell phones or email addresses are rendered unusable. If you have reason to believe that your data needs to be locked down quickly, having a feature like this is critica

The biggest downside to this system is that if you lose or forget your password, you lose everything. The most common response to this “downside” will be “that’s a great feature to have!” and I strongly agree: if I don’t want anyone accessing my account, I desperately need to be able to lose the password with no means of recovery. However, another downside is that if someone gains access to your account, they can lock you out of your own data in the same way that you can lock others out. The most obvious answer to this would be some form of two-factor authentication, but adding TFA to the mix would imply such things as if you lose your second factor, you can’t lock down your account or change your encryption password, so it’s a bit of a double-edged sword.

The major reason that “encrypt everything” has not been adopted by knowledgeable users is that it’s not available as an option, and where it is available, you have to jump through ridiculous hoops to get it set up and working. Things like the HTTPS Everywhere extension and Google switching its services to use HTTPS by default are steps in the right direction. The fact that anyone can get online and dig up your maiden name, social security number, city you were born in, first vehicle you owned, and much more within minutes and for small fees means that password recovery options with security questions and whatnot are the equivalent of locking your five deadbolts and leaving the key under the WELCOME mat. Furthermore, if the FBI, CIA, NSA, or some other three-letter agency decides they want to read your mail without your knowledge, there’s nothing at all stopping them from doing so.

One of the big arguments against encryption is that it allows bad people to hide bad things. News flash: bad people can use encryption even if you DON’T allow it. The only thing that happens when you don’t have encryption available is that GOOD people can’t protect themselves and their privacy so easily, but the bad guys have an extraordinary motivation to jump through the extra hoops required and certainly will do so to avoid being caught. This argument against providing encryption has no substance in a practical world.

In summary: Service providers need to give us the keys to our data.

Completely disable Firefox disk caching and thumbnail generation for speed and paranoia

A comment on an article on Ars Technica reminded me that people have been convicted of possession of child pornography in the past based solely on the contents of their web browser’s cache (Internet Explorer calls them “temporary internet files.”) The problem with this is that these days, you don’t necessarily have to see or click on anything to have it load into your browser cache. Ignoring questionable ads and unexpected pop-ups and someone else touching your computer as a source of such garbage, actual “features” like link prefetching can do this by loading the contents of certain links on a page in anticipation of you clicking through them while never necessarily doing so. It’s pretty scary to think about such things, but they can and do happen, and if some forensic guy ever sees the contents of your hard drive, you don’t want to have to worry about some prefetched stuff you didn’t know was there landing you in hot water, especially in the “guilty until proven innocent” manner criminal court juries tend to operate.

Torrents, private emails, and other things that aren’t necessarily illegal at all (yet definitely deserve to be kept private) are stored in your browser cache, too. Even if you’re not concerned about the remnants of the virus you just got quarantined having opened questionable websites for you, you might not want copies of your email to your boss with whom you’re having an affair being found by your nosy significant other, or you might have caught your kids downloading something they shouldn’t have using BitTorrent and want to make sure records of their faux pas isn’t floating about in the browser cache for the next few months.

Then there’s the technical aspect: more files on disk is generally a bad thing, because a folder with 5,000 entries is far slower to search through for one file than a folder with 100 entries (or no folders at all). Wouldn’t it be awesome to alleviate both the paranoid legal risk as well as speed up your browser and prevent it from polluting your hard drive with thousands of files you don’t care about? If you use Mozilla Firefox, it’s actually somewhat simple to turn off prefetching and disk caching once you know how. Note that memory caching is still in place, so you do still have the speed benefits of caching; note also that memory caching can still end up in your paging file, so this isn’t a 100% foolproof thing, but in terms of eliminating risk it’s a huge leap forward.

  1. Open Firefox. Go to the address bar, type about:config and hit [Enter].
  2. It might warn you not to play around. Click “I’ll be careful, I promise!”
  3. Type “prefetch” into the search box. You should see an option called “network.prefetch-next” which you can double-click to change to “false.”
  4. Search for “cache.disk” this time. Change “browser.cache.disk.enable” to “false” and change “browser.cache.disk.capacity” to “0.”
  5. Close and re-open Firefox.
  6. Hit [Ctrl] + [Shift] + [Delete] to bring up the “Clear Recent History” box. Change your time range to “Everything” and make sure “Cache” is checked. This erases the entire disk cache.
  7. For the really paranoid, install CCleaner (don’t install anything else it offers to install while you do it), find the “Wipe Free Space” option at the bottom of the left column, right-click on it, and choose “clean.” (It might warn you that it’s going to delete stuff, but proceed anyway.) This erases the contents of all of the empty space on the hard drive, including anything that was in the disk cache you just deleted and anything that has ever been deleted from the computer.
  8. [Update for newer Firefox versions] Firefox stores thumbnails of pages you visit for the new “New Tab” page previews. To get rid of this while you’re in about:config, right-click somewhere and go to New -> Boolean, call it browser.pagethumbnails.capturing_disabled and set it to true. Restart Firefox and no more behind-your-back thumbnails.

While you’re at it, you might want to install NoScript and Adblock Plus, and learn how to use them to protect against these things landing on your browser in the first place, but that’s beyond the scope of this post. Happy faster browsing, and tell your boss in your next email that I’ll see her this weekend. 😉 xoxo