[28745] in bugtraq
Putting the "NSA Data Overwrite Standard" Legend to Death...
daemon@ATHENA.MIT.EDU (Jonathan G. Lampe)
Tue Feb 4 14:33:36 2003
Message-Id: <5.2.0.9.0.20030204105538.03166c68@mail.stdnet.com>
Date: Tue, 04 Feb 2003 10:57:09 -0600
To: bugtraq@securityfocus.net
From: "Jonathan G. Lampe" <jonathan@stdnet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
OK, I'm sure this one will start a flame war, but...I work for a vendor
whose products overwrite files when "deleting" them as a way of protecting
old data. Lately several customers have been asking for "NSA" or "DoD"
standard overwrites, usually with a value of 3, 7 or 9. (Our response to
the feature was to more or less let the owner of the product pick the
number of overwrites; the obvious tradeoff is morewrites=slowerdisk.)
Anyway, while researching how we wanted to document recommended values for
the overwrite feature, I looked into the "DoD" and "NSA" standards.
I was not surprised to see that a "DoD standard" DOES exist:
Government name: DoD 5220.22-M
A nice summary: http://www.zdelete.com/dod.htm (not my product)
Some original documents: http://www.dss.mil/isec/nispom.htm
Long story short: 1 overwrite = CLEAR, 3 overwrites = SANITIZED
(non-removable rigid disk)
I was surprised, however, to learn that a "NSA standard" DOES NOT exist.
I did the usual Google searches and came up with nothing but various sites
and postings claiming the standard was anything from 5 to 20
overwrites. Then I called the NSA (1-800-688-6115
- http://www.nsa.gov/isso). The first person I chatted with passed on the
question, but the second answered the question in no uncertain terms - NSA
is aware of DoD 5220.22-M and DOES NOT have a separate recommendation.
So...could this finally be the end of IT employees casually tossing around
the "NSA overwrite standard" - or is there something I'm missing?
Second, where did the number 7 really come from? (It seems to be the
leading recommendation out there right now for number of overwrites and is
frequently attributed to the NSA.)
- Jonathan Lampe, GCIA, GSNA
- jonathan.lampe@stdnet.com
