(…)
DESCRIPTION
Recovery of supposedly erased data from magnetic media is easier than
what many people would like to believe. A technique called Magnetic
Force Microscopy (MFM) allows any moderately funded opponent to recover
the last two or three layers of data written to disk; wipe repeatedly
overwrites special patterns to the files to be destroyed, using the
fsync() call and/or the O_SYNC bit to force disk access. In normal
mode, 34 patterns are used (of which 8 are random). These patterns were
recommended in an article from Peter Gutmann (pgut001@cs.auck‐
land.ac.nz) entitled “Secure Deletion of Data from Magnetic and Solid-
State Memory”. A quick mode allows you to use only 4 passes with random
patterns, which is of course much less secure.

NOTE ABOUT JOURNALING FILESYSTEMS AND SOME RECOMMENDATIONS (JUNE 2004)
Journaling filesystems (such as Ext3 or ReiserFS) are now being used by
default by most Linux distributions. No secure deletion program that
does filesystem-level calls can sanitize files on such filesystems,
because sensitive data and metadata can be written to the journal,
which cannot be readily accessed. Per-file secure deletion is better
implemented in the operating system.

Encrypting a whole partition with cryptoloop, for example, does not
help very much either, since there is a single key for all the parti‐
tion.

Therefore wipe is best used to sanitize a harddisk before giving it to
untrusted parties (i.e. sending your laptop for repair, or selling your
disk). Wiping size issues have been hopefully fixed (I apologize for
the long delay).

Be aware that harddisks are quite intelligent beasts those days. They
transparently remap defective blocks. This means that the disk can
keep an albeit corrupted (maybe slightly) but inaccessible and
unerasable copy of some of your data. Modern disks are said to have
about 100% transparent remapping capacity. You can have a look at
recent discussions on Slashdot.

I hereby speculate that harddisks can use the spare remapping area to
secretly make copies of your data. Rising totalitarianism makes this
almost a certitude. It is quite straightforward to implement some sim‐
ple filtering schemes that would copy potentially interesting data.
Better, a harddisk can probably detect that a given file is being
wiped, and silently make a copy of it, while wiping the original as
instructed.

Recovering such data is probably easily done with secret IDE/SCSI com‐
mands. My guess is that there are agreements between harddisk manufac‐
turers and government agencies. Well-funded mafia hackers should then
be able to find those secret commands too.

Don’t trust your harddisk. Encrypt all your data.

Of course this shifts the trust to the computing system, the CPU, and
so on. I guess there are also “traps” in the CPU and, in fact, in
every sufficiently advanced mass-marketed chip. Wealthy nations can
find those. Therefore these are mainly used for criminal investigation
and “control of public dissent”.

People should better think of their computing devices as facilities
lended by the DHS.

IMPORTANT WARNING — READ CAREFULLY
The author, the maintainers or the contributors of this package can NOT
be held responsible in any way if wipe destroys something you didn’t
want it to destroy. Let’s make this very clear. I want you to assume
that this is a nasty program that will wipe out parts of your files
that you didn’t want it to wipe. So whatever happens after you launch
wipe is your entire responsiblity. In particular, no one guarantees
that wipe will conform to the specifications given in this manual page.

Similarly, we cannot guarantee that wipe will actually erase data, or
that wiped data is not recoverable by advanced means. So if nasties
get your secrets because you sold a wiped harddisk to someone you don’t
know, well, too bad for you.

The best way to sanitize a storage medium is to subject it to tempera‐
tures exceeding 1500K. As a cheap alternative, you might use wipe at
your own risk. Be aware that it is very difficult to assess whether
running wipe on a given file will actually wipe it — it depends on an
awful lot of factors, such as : the type of file system the file
resides on (in particular, whether the file system is a journaling one
or not), the type of storage medium used, and the least significant bit
of the phase of the moon.

Wiping over NFS or over a journalling filesystem (ReiserFS etc.) will
most probably not work.

Therefore I strongly recommend to call wipe directly on the correspond‐
ing block device with the appropriate options. However THIS IS AN
EXTREMELY DANGEROUS THING TO DO. Be sure to be sober. Give the right
options. In particular : don’t wipe a whole harddisk (eg. wipe -kD
/dev/hda is bad) since this will destroy your master boot record. Bad
idea. Prefer wiping partitions (eg. wipe -kD /dev/hda2) is good, pro‐
vided, of course, that you have backed up all necessary data.
(…)