Re: Must be important.

On Nov 25, 9:37 am, Mitchell Coffey <m.cof...@xxxxxxxxxxxxx> wrote:
On Nov 25, 9:05 am, All-seeing-I <ap...@xxxxxxxxx> wrote:





On Nov 25, 3:44 am, Bruce Stephens <bruce+use...@xxxxxxxxxxxxxxxxxxxx>
wrote:

All-seeing-I <ap...@xxxxxxxxx> writes:

[...]

Spinny is a bit out of date. The Gutmann will not remove all traces of
malware or viruses these days.

That depends.  In a sense it's true: Using some kind of "military
strength" wiping technique on odd files won't remove malware.  But
that's always been true: this kind of wiping has always been irrelevant
for dealing with viruses.

OTOH, wiping your whole disk (and all other possible sources) and then
reinstalling from known good CDs will remove viruses, but it'll also
remove all your data (photos, music, etc.) so nobody wants to do that..
But that doesn't require "Gutmann" wiping, and never has done.  And if
you're reinstalling Windows you then need to reinstall the various
service packs and things, and in that period (while you're updating) you
can be reinfected.

So (as usual) I think spintronic (and you) are confused.  Gutmann was
talking about what can be retrieved by forensic analysis of hard disks
and other media after the data has allegedly been deleted.  That's not
relevant to Windows viruses or other malware.  (It's slightly relevant
for trojans that want to send your bank account detail to Russia in that
such malware might be able to recover ordinarily deleted files, but I'm
not sure any malware actually tries that, and there's no indication that
spintronic's talking about that.)

Gutmann's results are (I suspect) no longer relevant to current hard
disks, either.  The data's *much* more densely packed.

You suspect wrong. Of course one could erase an entire hard drive
using gutmann.

But that would be rather foolish and would take days if not months to
erase today's modern hard drives (that are up to terabytes in size),
block by block, thirty five times with 1's, 0's, or both.

And BTW, there are still many small portable utilities that can be
found that use gutmann to completely erase a single file or multiple
files on a hard drive so that there is no recovering any useable data.

Which is all gutmann was ever really good for; or even intended for.

This is the URL to the latest version of Gutmann's paper, from his
website:

http://tinyurl.com/iqx3

Regarding what you claim in this post, the following is from a not-
particularly-recent epilogue he has appended to his original paper.
Note in particular the second paragraph.  There is much more recent
research by other experts that more than confirms his conclusions:

"Epilogue

"In the time since this paper was published, some people have treated
the 35-pass overwrite technique described in it more as a kind of
voodoo incantation to banish evil spirits than the result of a
technical analysis of drive encoding techniques. As a result, they
advocate applying the voodoo to PRML and EPRML drives even though it
will have no more effect than a simple scrubbing with random data. In
fact performing the full 35-pass overwrite is pointless for any drive
since it targets a blend of scenarios involving all types of (normally-
used) encoding technology, which covers everything back to 30+-year-
old MFM methods (if you don't understand that statement, re-read the
paper). If you're using a drive which uses encoding technology X, you
only need to perform the passes specific to X, and you never need to
perform all 35 passes. For any modern PRML/EPRML drive, a few passes
of random scrubbing is the best you can do. As the paper says, "A good
scrubbing with random data will do about as well as can be expected".
This was true in 1996, and is still true now.

"Looking at this from the other point of view, with the ever-
increasing data density on disk platters and a corresponding reduction
in feature size and use of exotic techniques to record data on the
medium, it's unlikely that anything can be recovered from any recent
drive except perhaps a single level via basic error-cancelling
techniques. In particular the drives in use at the time that this
paper was originally written have mostly fallen out of use, so the
methods that applied specifically to the older, lower-density
technology don't apply any more. Conversely, with modern high-density
drives, even if you've got 10KB of sensitive data on a drive and can't
erase it with 100% certainty, the chances of an adversary being able
to find the erased traces of that 10KB in 80GB of other erased traces
are close to zero.

"Another point that a number of readers seem to have missed is that
this paper doesn't present a data-recovery solution but a data-
deletion solution. In other words it points out in its problem
statement that there is a potential risk, and then the body of the
paper explores the means of mitigating that risk."

Note that in my post earlier in this thread I wrongly stated that the
Gutmann paper in question constituted his PhD thesis.  It did not.

Mitchell Coffey- Hide quoted text -

- Show quoted text -

Most gutmann applets allow various settings. (IIRC) 2, 4, 6. 12, bla
bla up to 35 passes depending on your needs and individual
configuration.

So what?

My point has always been that the gutman will not remove all traces of
a virus by itself. Unless of course you know all of the files involved
and their locations in which the virus has deposited them. Which is
somewhat difficult to know these days because hackers have become
quite good at what they do. Plus that could take quite a lot of time
even should you know which files and locations.

However. If one wishes to simply remove a single file and make it
unrecoverable, such as a secret family recipe or a letter to your
mistress, then the gutman is the way to go. The amount of passes that
you want made are set for the particular configuration of the machine
or the individuals level of paranoia. Which ever comes first.

I suspect that spinny did not actually do a gutmann but instead did a
low level format. He used the term "gutmann" to illistrate that he
formatted his HD.

It obviously did not solve his problem.

Often times problems such as his are not actually caused by a virus
but are either hardware or cable problems. Then configuration problems
should be considered and then virus problems last.

Actual boot viruses these days are rare because of such modern anti
virus programs that do boot scans.

Spinny's claim was someone from TO hacked him. Which does not sound
unreasonable although I doubt it.




.

Relevant Pages

  • Re: Must be important.
    ... malware or viruses these days. ... strength" wiping technique on odd files won't remove malware. ... erase today's modern hard drives, ... technical analysis of drive encoding techniques. ...
    (talk.origins)
  • Re: Must be important.
    ... malware or viruses these days. ... strength" wiping technique on odd files won't remove malware. ... erase today's modern hard drives, ... technical analysis of drive encoding techniques. ...
    (talk.origins)
  • Re: Must be important.
    ... malware or viruses these days. ... strength" wiping technique on odd files won't remove malware. ... erase today's modern hard drives, ... technical analysis of drive encoding techniques. ...
    (talk.origins)
  • Re: Do HD Partitions Provide Any Security Benefits?
    ... Would there be any security benefit against viruses and malware if I ...
    (microsoft.public.security.virus)
  • Do HD Partitions Provide Any Security Benefits?
    ... drives. ... Would there be any security benefit against viruses and malware if I ...
    (microsoft.public.security.virus)