Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
The Military Data Storage Security United States

Unclean Military Hard Drives Sold On eBay 369

An anonymous reader writes "The Daily Mail reports, 'Highly sensitive details of a US military missile air defense system were found on a second-hand hard drive bought on eBay. The test launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq. The disk also contained security policies, blueprints of facilities, and personal information on employees (including social security numbers) belonging to technology company Lockheed Martin — who designed and built the system.' Scary that they did not wipe it to Department of Defense standards, which I believe is wiping the whole disk and then writing 1010 all over it."
This discussion has been archived. No new comments can be posted.

Unclean Military Hard Drives Sold On eBay

Comments Filter:
  • I have to wonder (Score:4, Insightful)

    by Lord Grey ( 463613 ) * on Thursday May 07, 2009 @08:45AM (#27858245)
    The article states that this finding was the result of a study where a few hundred drives (300+) were purchased from various places and then scanned.

    A spokesman for BT said they found 34 per cent of the hard disks scrutinised contained 'information of either personal data that could be identified to an individual or commercial data identifying a company or organisation.'


    For a very large proportion of the disks we looked at we found enough information to expose both individuals and companies to a range of potential crimes such as fraud, blackmail and identity theft.

    Where are the corresponding crimes? If a third of the used hard drives on the market really contain such detailed personal or business information, wouldn't you think that at least one group of criminals would be buying as many of these drives as possible? Granted that there would be capital outlay, but a lot of that is recovered by selling the drives again through the vary same channels, and the risk of getting caught would be extremely low. Quantity of information is lower than with network-based methods (eg, keyloggers, sniffers, etc.) or other information-gathering methods, but I would think the quality of the gathered data would be much, much higher. Good enough to resell for a relatively high amount.

    It seems, to me, that there is a bit of hyperbole going on here.

    • by drinkypoo ( 153816 ) <martin.espinoza@gmail.com> on Thursday May 07, 2009 @08:54AM (#27858347) Homepage Journal

      Where are the corresponding crimes? If a third of the used hard drives on the market really contain such detailed personal or business information, wouldn't you think that at least one group of criminals would be buying as many of these drives as possible?

      Uh, what makes you think that they aren't? Your comment is utterly devoid of value unless you can prove a negative somehow. Good luck!

    • by noundi ( 1044080 ) on Thursday May 07, 2009 @09:07AM (#27858459)

      ... wouldn't you think that at least one group of criminals would be buying as many of these drives as possible?

      Well the black market is a quite complicated. The only groups with enough funding and enough motive to even try to obtain this information (disregarding the middlemen that you're mentioning) would be other nations. Let's say you're an exceptional nerd with enough skills to extract this data into usable form (I think it would be fair to say that many /.-ers fit or could fit this profile given some time to research). How would you go about selling this information to let's say North Korea? Who would you contact? Better yet, who would they allow you to speak to? I doubt you can just pick up the phone and ask the operator to "hook you up with the illest of Kim Jongs". But let's say you actually do get to speak with him (or anybody of importance really). How's your Korean? Ok final hypothesis, let's say you actually do speak Korean. What are you going to say? It's not like you're calling from AT&T to offer him 5$ less monthly fee if he subscribes to the service for 24 additional months.

      Basically I see where you're coming from but I wouldn't take the procedure so lightly. Plus there's possibly a lot more important information floating around somewhere that never "got in the wrong hands" as well.

      • people always underestimate the dangers of physical delivery.
        Let's think this through: I am a smartie who knows computers and is interested in blackmail. Where do I get thosehard disks? you see, ebay and such are markets, so you have to tell them where you want those disks sent, under what name, on which credit card....then you must retrieve them, probably giving some proof of identity.
        So, given that my objectives are:

        1. get rich;
        2. do NOT get caught in the process;

        I do not think that's the best option.
      • Re:I have to wonder (Score:4, Interesting)

        by DZign ( 200479 ) <averhe@ g m a i l . com> on Thursday May 07, 2009 @09:36AM (#27858861) Homepage

        After reading the book 'spies among us' I've learned that making contact for selling information is just as simple as walking
        to an embassy/consulate from the specific country and asking to speak with someone about information..

      • Hmm. I could probably round up half a dozen Korean-speakers who can run a disk-recovery application properly, given an hour or two. Ok, so, I live in a university town and I have an advantage, I'll admit it.

        But I think that it's entirely possible that someone who has run a couple of small scams successfully could parlay that cash into buying several hundred hard drives. Finding name/SSN sets on one of these hard drives has plenty of value for identity thieves right here in the U. S. of A. It's not only the

    • Re: (Score:3, Informative)

      by MikeBabcock ( 65886 )

      First off, blackmail doesn't hit the news, that's the whole point. You tell the company what you've got and threaten to use it against them and get paid off.

      Personally I wouldn't blackmail a defence contractor, all things considered but there are those with larger gonads than I though.

      Secondly, a lot of criminals go with what they're good at. Just because a new avenue of crime exists doesn't mean it will be taken advantage of immediately.

      Just think how long the Internet was a big open place before we star

  • Unclean? (Score:5, Informative)

    by Nerdfest ( 867930 ) on Thursday May 07, 2009 @08:48AM (#27858267)
    I guess we'll need to format them in a purifying fire then.
  • by Anonymous Coward on Thursday May 07, 2009 @08:50AM (#27858301)

    You can wipe a disk with "dd if=/dev/zero of=/dev/sda" and nobody will get anything from it after that, but the problem isn't the technical feasibility of securely wiping a hard disk: It's a problem of procedure. If hard disks are sold, there's always going to be a mishap where disks which were supposed to be wiped are not and sold with the data intact. Also, why was this data not encrypted? Anyway, hard disks are just not worth enough to take these risks. Destroy the disks and do it in-house.

    • by bleh-of-the-huns ( 17740 ) on Thursday May 07, 2009 @09:07AM (#27858455)

      There are much quicker ways then that. In fact, at my old office, we had NSA approved degaussing equipment for hard drives, that destroyed the data permanently (no amount of forensics will be able to retrieve it), but left the drive itself intact for reuse or resale.

      The fun part of course is that when you turn it on.. 2 or 3 floors of lights all dimmed at the same time for a few seconds while it powered up and it hummed.. loudly... Thats a powerful magnet :)

      • by rongage ( 237813 ) on Thursday May 07, 2009 @09:13AM (#27858549)

        Modern drives have "servo tracks" on them - used for setting the head position. If you use an eraser powerful enough to wipe the drive, then the servo track is most likely also wiped - rendering the drive totally useless to most folk.

        • Re: (Score:3, Informative)

          by samos69 ( 977266 )
          Yup, we just purchased a Verity degausser to wipe some drives before donating them to charity and have found that the servo track is wiped and they become completely useless... £1800 wasted, but it's damn fun to wipe things with!
        • To be fair, he did say "for reuse or resale". He didn't specify what KIND of use. You could use it a a paperweight, a doorstop, a hammer ... the possibilities are endless! And then you're done using it, you can always sell it on e-bay.

        • Re: (Score:3, Insightful)

          by Orgasmatron ( 8103 )

          Don't forget that modern drives use material with obscenely high coercivity so that the domains don't spontaneously flip their neighbors. If you use a magnet powerful enough to randomize the platters, you'll warp all the steel parts.

      • Military standards are to write 1010 all over the drive... Hmm. I bet the FBI could get those top secrets afterwards. Really I don't even know if I'd trust degaussing for anything really important. Or fire for that matter, unless it were hot enough to actually melt the entire drive to a puddle of slag. How many times has someone burnt a paper in a fireplace only to have the ashes remain, still clearly readable? Opening the drive, removing the platter and using a grinding wheel to turn it into iron filin
    • by s0litaire ( 1205168 ) * on Thursday May 07, 2009 @09:11AM (#27858513)
      i'd use "dd if=/dev/urandom of=/dev/sda" Urandom is slower but better..
      • Re: (Score:3, Informative)

        You've got it backwards. Urandom reuses the entrophy pool, so it will not block, but will be slower. /dev/random is the real deal.
      • Re: (Score:2, Funny)

        by Anonymous Coward

        No, there is a probability that the random data is the same as the original. Would you take that chance?

        • Re: (Score:3, Informative)

          by systemeng ( 998953 )
          The mistake in thinking that it's a bad thing to never have the data be the same is roughly speaking part of how the Germans lost WWII. The British broke the Enigma cypher by figuring out that a given letter was _NEVER_ encoded as the same letter. That tiny blip in the probability function allowed breaking many coded messages if they could get a small amount of cleartext such as the weather report.
      • Re: (Score:3, Informative)

        by multisync ( 218450 )

        i'd use "dd if=/dev/urandom of=/dev/sda" Urandom is slower but better..

        If you have access to dd, you probably have access to shred. It makes several passes using different patterns (25 by default), and has the option of zeroing the drive on the last pass. I believe it meets DOD standards. I'm not sure how effective it is with slack space, which often holds recoverable data even after running utilities that are supposed to wipe data off drives, but dd wouldn't be any better.

        • Re: (Score:3, Insightful)

          by jimicus ( 737525 )

          The problem with shred (and indeed any such utility) is that it doesn't account for application behaviour. What if some application that uses the file re-writes it - eg. because of some change to the file - to a different filehandle than the one the file was originally read from?

          What if at some point the file was read into memory and that memory was swapped out by the OS? There are lots of quite reasonable scenarios where there are fragments of the file sitting around indefinitely.

  • please... (Score:5, Interesting)

    by VMaN ( 164134 ) on Thursday May 07, 2009 @08:50AM (#27858303) Homepage

    Before people start discussing if drives should be overwritten 32 or 2^32 times, please show me ONE proven example of a regularly zeroed drive being recovered.

    This challenge has stood for more than a year.
    http://16systems.com/zero.php [16systems.com]

    • Re:please... (Score:5, Insightful)

      by canix ( 1176421 ) on Thursday May 07, 2009 @09:00AM (#27858401)

      It is possible that the people most likely to have the resources and expertise to do this (i.e. govt. security depts.) don't want to announce that they have this capability ...

      • That cuts both ways (Score:3, Interesting)

        by kaladorn ( 514293 )

        It is possible that the people who want to sell you a product don't want to announce the capability they wish to sell you is not necessary.

        Besides, if the government is after you, they have such a variety of options to figure out what goes on (pin cameras, laser mics, various other forms of mics, analysis programs that can guess what you are typing, installation of keyloggers, and just simple acquisition with legal means like a warrant) that worrying about whether they may, beyond all known capabilities of

    • by sakdoctor ( 1087155 ) on Thursday May 07, 2009 @09:02AM (#27858409) Homepage

      In the UK, the government uses magnetic fields generated by train seats to erase sensitive data.

    • Even if it is doable, no one is going to buy random 0'ed drives to run through an electron microscope just to see if there maybe a few thousand dollars worth of blackmail on it.
    • Re:please... (Score:4, Insightful)

      by WoLpH ( 699064 ) on Thursday May 07, 2009 @09:19AM (#27858633)

      Why would any company enter a challenge like that? What data recovery company would comply to this: "You also must publicly disclose in a reproducible manner the method(s) used to win the challenge."?

      Regardless of wheter it is possible or not, it is definately not worth the trouble for anyone.

    • Re:please... (Score:5, Insightful)

      by Hyppy ( 74366 ) on Thursday May 07, 2009 @09:20AM (#27858647)
      $500 to recover a drive, eh? If I had a data recovery business, I'd hang up on you too. If you want people to take you seriously, then perhaps you should present yourself in a serious manner. Offering $500 and a basement-made "King of Data Recovery" title is not a serious challenge. It's a slap in the face to any legitimate data recovery business to be "challenged" like that.
      • The last reputable data recovery company I dealt with charged us $1500 to recover a dead laptop drive. They gave us a new drive that was nearly perfectly recovered from the old dead, dropped, damaged drive.

        That may seem like real money to some people, but it was worth it to the client in question. Why on earth would they do even more work for one third the money?

      • Re: (Score:3, Funny)

        It's a slap in the face to any legitimate data recovery business to be "challenged" like that.

        But I thought a slap in the face was the proper way to announce your challenge!

    • That challenge is a joke.

      1) If I could recover data from a zeroed drive, I'd charge a lot more than USD500 to do it. Why? Because there will be people who would pay.
      2) I'd charge a LOT more to show you how to do it with NDA etc.
      3) I'd charge even more to publicly disclose to everyone how to do it.

      Secondly this from the website is even funnier: "Yes, if your company is an established, professional data recovery company (see below). Send a self-addressed, postage-paid box with packaging material to the addres
  • DoD wiping standards (Score:5, Informative)

    by mati.stankiewicz ( 1326159 ) on Thursday May 07, 2009 @08:54AM (#27858337)

    "which I believe is wiping the whole disk and then writing 1010 all over it."

    Taken from DoD 5220.22-M Wipe Standard:

    "[...]DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101 [35h], followed by 1100 1010 [CBh], then 1001 0111 [97h]. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on differing DoD component requirements. In any case, a purge is not complete until a final overwrite is made using unclassified data."

    • by mevets ( 322601 )

      In Soviet Russia, the drive wipes you...

    • by Sancho ( 17056 ) *

      I can't find that anywhere in the actual document. Which page is it on, and which edition of the document?

  • by __aajwxe560 ( 779189 ) on Thursday May 07, 2009 @08:56AM (#27858365)
    I perform computer forensics work, and part of my research towards obtaining my degree was going to the MIT Swap Meet (great event) and buying used hard disks from vendors on occasion. In about 90% of the cases, the user appeared to have simply "deleted" the files, with nothing more. Now, I would expect this for a normal home user, not knowing any better, but the biggest thing of concern was the number of drives that came from various corporate entities. I was able to see and read data from drives that clearly came from several major banks, including mortgage apps, SSN's, corporate planning documents, etc. Again, the files appeared to have been simply "deleted" by the IT folk, instead of securely wiped, making it trivial at best to read everything.

    So while this example is no better, I believe it highlights an ongoing problem that involves better user education and disk encryption helps solve.
    • Re: (Score:3, Funny)

      I created the secure wiping policy for my department. It involves an axe. I get to use it on anyone who tries selling old drives instead of having them shredded.
  • Little OT Anecdote (Score:5, Informative)

    by rodrigoandrade ( 713371 ) on Thursday May 07, 2009 @08:57AM (#27858373)
    I used to work for a major OEM whose clients included the military, along with other branches of the US government. The military in particular had a "strict" policy about hard drives: they did NOT RMA them EVER. If a PC of theirs was to be returned or sent in for service, it arrived without the hard drive.

    What's the point of such strict policy towards your supplier if some dumbass from within will just pawn it off on Ebay?? It's not the first time this happens.
    • by Hyppy ( 74366 )
      Either way, the point of a policy is not to be broken. I'm sure Private Murphy or Contractor Black wasn't following proper procedure when he decided to sell some old hard drives for beer money.
    • by bleh-of-the-huns ( 17740 ) on Thursday May 07, 2009 @09:15AM (#27858579)

      The problem is not necessarily from a gov branch, but most likely a supporting contractor, in this case Lockheed martin.

      Same reason why those same contractors are forbidden from using VPN from gov facilities (DOD and Federal atleast) to their home offices. In the past, a certain contractor from a certain company at a certain 5 pointed facility introduced some lovely malware that spread like wildfire fromthe contractors company to the gov facility.

      However, like I said, while policy says what not to do, deadlines and management looking the other way sometimes to meet those deadlines and whatnot go against those policies, sometimes nothing happens, sometimes bad things happen.

  • by __aanmys7397 ( 1280784 ) on Thursday May 07, 2009 @08:58AM (#27858381)
    ..the market is being flooded with Chinese made ground to air missile defence systems, available for a quarter of the price, and half the accuracy.
  • by JackassJedi ( 1263412 ) on Thursday May 07, 2009 @08:58AM (#27858383)
    Why does the DoD not simply destroy the disks in question?
    • Exactly. Grind them up. If they can grind up cars in a junkyard, surely someone can make a smaller device to grind up a hard drive.
    • My guess was that this was not a DoD system, and probably not at the DoD facilities, but rather at the contractor facilities.

      They are however (which is written into the contract that was signed when the project was awarded) required to comply with DoD regulations. It appears that in this case, probably during a technology refresh would be my guess, that there was a shit ton of old equipment, and the IT folks got lazy, since securely wiping a drive without a degausser of sorts takes a very long time.

    • by camperdave ( 969942 ) on Thursday May 07, 2009 @09:33AM (#27858831) Journal
      Why does the DoD not simply destroy the disks in question?

      Sometimes it's easier to detect a security problem by letting some information leak.
      • by eth1 ( 94901 )

        Especially if they have fingerprints of the data on each drive, and tracked which one went where for disposal.

  • by LoyalOpposition ( 168041 ) on Thursday May 07, 2009 @09:06AM (#27858441)

    scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.

    That's nearly right. The actual procedure is to wipe it to DoD standards, and then load it up with fake documents.


    • by H0p313ss ( 811249 ) on Thursday May 07, 2009 @10:54AM (#27860111)

      scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.

      That's nearly right. The actual procedure is to wipe it to DoD standards, and then load it up with fake documents.


      So you're saying this Area 51 map and Build-Your-Own Nuke instructions I have here might be bogus?

  • by sunking2 ( 521698 ) on Thursday May 07, 2009 @09:07AM (#27858461)
    Did lockheed actually own these machines, or do they lease them? My guess is LM (like most larger companies) has a contract with someone like CSC/IBM/etc who actually owns, maintains, and replaces machines. This is probably where the ball was dropped. Every 3 years here CSC replaces 10s of thousands of PCs that they are itching to sell off before they depreciate into worthlessness. I can certainly see them taking short cuts, or missing a few. This is the problem with outsourcing IT infrastructure. They don't always really understand or care about the same thing as you.
  • by roger_that ( 24034 ) on Thursday May 07, 2009 @09:07AM (#27858463)

    The drives were probably illegally sold. DoD requires the destruction of classified drives, and contractors are supposed to follow the same rules. If the drive(s) in question held classified data (which they apparently did), they should have been wiped, then physically destroyed. Sounds like someone bypassed the last step, and tried to make a little profit on the side, by selling the "destroyed" drive.

    Disclaimer: I work for a contractor on a US Government contract, working with classified data. (at the five-sided building)

    • Re: (Score:3, Funny)

      by T Murphy ( 1054674 )

      the five-sided building

      ...most buildings have a roof and 4 walls, so that doesn't exactly narrow it down.

  • by s0litaire ( 1205168 ) * on Thursday May 07, 2009 @09:09AM (#27858485)
    Or are these types of stories probably sponsored by E-Bay's PR department..

    Just think of all those people now bidding on old hard drives now... Probably won't be able to pick one up for under £99 by the end of the week :D

    That reminds me... Got a few old ones to sell myself... :D:D
  • by sirwired ( 27582 ) on Thursday May 07, 2009 @09:11AM (#27858527)

    I worked in a highly classified facility once. The wipe "standard" was to hire a lowly intern (such as myself), remove the platters from the case, take them out back, and sandblast them. The agencies scientists had decided degaussing wasn't good enough.


  • by Anonymous Coward

    First part of story. scary that they did not wipe it to Department of Defense standards which I believe is wiping the whole disk and then writing 1010 all over it.

    I just had a mental image of a private being assigned a sharpie and a room full of hard drives, furiously writing 1010 on each one.

  • DoD standards (Score:2, Interesting)

    by konigstein ( 966024 )
    Are to overwrite the harddrive 9 times, then degauss (which makes a loud POP and the magnetic information is GONE, and THEN to drill 6 holes through the drive. The DoD policy memo can be found here http://www.drms.dla.mil/turn-in/usable/cpu-memo-jun01.pdf [dla.mil]
  • Say what? (Score:3, Funny)

    by minsk ( 805035 ) on Thursday May 07, 2009 @09:15AM (#27858581)

    wiping the whole disk and then writing 1010 all over it.

    Did exactly that. Removed it from a computer. Wiped all over the disk. Then took a marker and wrote all over it. For additional security, wiped it *again* to remove the marker. And you nuts are still claiming there's secrets on it...


  • by xonar ( 1069832 ) <{xonar} {at} {smagno.com}> on Thursday May 07, 2009 @09:15AM (#27858583) Homepage
    A++++++++++++ service! Quick shipping, and free military secrets included! Would buy from again.
  • The problem with writing 1010 all over the disk is that it only covers an extremely tiny fraction of the disk. Most modern drives are much larger than 4 bits.

    It is also highly inefficient since the OS would always have to read a whole sector (typically 512 bytes) and modify it in memory before writing it back again to avoid changing any bits outside of those 4 that are to be wiped!

    So, why not just sell it on eBay and hope the buyer wipes the disk before using it?

  • by BenEnglishAtHome ( 449670 ) on Thursday May 07, 2009 @09:19AM (#27858637)

    I work for the IRS and we supposedly use the DOD standard. Our wiping software actually has a "/DOD" switch. However, unlike the standard quoted in another post, our software just reinitializes the MBR and then does 7 random overwrites. Is that better or worse than writing patterns? I dunno.

    I do know, however, that we never let a drive out of our inventory without a wipe. If the drive has failed completely, we have a big magnetic blanker we use. (Local option - in my office, we then take those drives apart, abuse the platters, and one of our techs makes sculptures from them. Neat stuff.)

    As an aside, we never RMA drives, either. If a drive in our possession fails, we call for a warranty replacement and send back in the return box a signed statement swearing that we destroyed the old drive. If a laptop has a failure that requires a contractor tech to replace parts, we make them come on-site then have someone stand over them the whole time to make sure they don't try to actually read anything off the drive.

    I would expect the military to do at least as well. Am I wrong?

  • SInce When (Score:2, Interesting)

    by cfkboyz ( 1129423 )
    I just got out of the Military and was in there for 6 years. Not one time did we ever wipe a hard drive, not because we did not care nor to lazy. We never sold the hard drives or gave them away. We either reused the drive or we smashed it and then recycled it. The Army is so paranoid that we even had to take RAM out of old computers that processed classified information just because it MIGHT have information left...
  • by AnalPerfume ( 1356177 ) on Thursday May 07, 2009 @09:29AM (#27858759)
    Every time a piece of hardware which wasn't properly cleaned to the recommended levels, the individual responsible for letting it leave the premises should be held accountable....personally. How about sharing state secrets with the enemy? You can't know who it was destined for so there's every possibility it will go overseas. To my knowledge this carries a harsh sentence, but we can allow a prison sentence if they co-operate with the authorities and ensure the command level personnel are also charged.

    My guess is that most of this stuff happens through employee laziness, and contractor unaccountability. If you have lobbyists lairing in government to ensure that you keep the contracts no matter what and are able to hide anything under the "national security" red herring then why bother enforcing rules like wiping stuff properly? The idea of being held PERSONALLY responsible, with potential jail time will make people stop and think, specially if the command level have no loophole to blame their underlings for anything the press find out about.
  • For all anyone knows it could have been stolen.

  • Why wipe a disk?
    Media is cheap nowadays. Just destroy the disk.
  • One of the researchers, Professor Andrew Blyth said: "It's not rocket science..."
  • Has anyone here ever used an induction cooker [wikipedia.org] to wipe/destroy a hard drive?
    It seems that should be effective and entertaining.

  • [probably to post [today.com] tomorrow]

    Gigabytes and gigabytes of pornography and highly sensitive login details for gentleman's art sites were bought by a US military missile air defence base second-hand on eBay.

    The artistic pamphlets were found on a hard disk for the SPLORT (Super-Powered Less Obviously Retronymed Thing) ground to air missile defence system, used to shoot down Scum missiles in Iraq.

    Dr Andy Jones, a researcher at the base, said "This is the fourth time we have carried out this research and it is

  • I worked for a government contractor at Tinker AFB in Oklahoma back in 2005-2006. I was on a contract doing server/desktop support for a wing on the base. Whenever we had a failed drive in a desktop, laptop or server there were certain protocols that we had to follow to make sure the data was compromised. We had to remove the drive and then take it apart completely. Once it was dismantled we had to scratch the platters to make sure they couldn't be reassembled in a different drive. I was also in on a serve
  • Last time I read the military specs for harddrive disposal, moderately sensitive data disks should be deleted and zero'ed 7 times. (That options is on the Mac Disk Utility, BTW.)

"my terminal is a lethal teaspoon." -- Patricia O Tuama