
Kanagawa government hard disks swiped, sold online - ytch
https://www3.nhk.or.jp/nhkworld/en/news/20191206_24/
======
_wldu
Years ago, I bought an old Sun Netra server from ebay. It had the original OS
and apps still installed. Before installing OpenBSD, I changed the root
password and looked around. It had customer data from a large, well-known
online company.

I looked-up the company's contact info and emailed them. They called the next
day and asked for the server's serial number (which I gave them). A few days
later one of the company's executives called back and asked me to confirm the
serial number (which I did), he said he was holding a certificate of
destruction for that server's hard drives and would be taking some action
against the contractor that had been hired to destroy them. I had already
wiped the data and installed OpenBSD (or was about to).

Anyway, I'm not surprised this type of thing still occurs. To be sure data is
not exposed, companies ought to wipe drives themselves and encrypt them before
handing them over to contractors. Once the gear is gone, no one knows where it
will end up.

~~~
mc32
If things are that sensitive and important no disk should leave a building
whole. You have to have a ridiculous process in place that is unforgiving that
says that unless physically destroyed a disk cannot leave a building (unless
it’s in a sealed bag from mfg —obviously disks have to get from receiving to
where they’ll be used).

~~~
vidarh
Part of the problem is that modern hard drives are hard to destroy. E.g. try
taking a hammer and chisel to them - you might manage to destroy the
connectors and PCBs, but those are replaceable, and someone having hacked the
pcb to pieces is a good sign it's worth trying to get to the contents. Getting
to the platters is a pain, and destroying them enough to make recovery
impossible as well.

If you don't have a facilities department that is prepared - e.g. with
protective gears and an angle grinder or similar power tools, odds are someone
will decide it's easier to bypass that process you describe than to get the
equipment and do the job properly. It takes firm management by someone who
knows and understand the risks and cares about preventing them to ensure it's
hard enough to bypass these processes, and hiring someone that takes this
seriously just isn't high up on peoples list (e.g. I've _never_ been asked
about what approach I'd take to physical security of server infrastructure by
anyone wanting to hire me to roles where I'd be responsible for server
infrastructure).

~~~
Nursie
I haven't taken a hard drive apart for about a decade but last time I did take
one apart getting at the platters was a job for a couple of minutes and a hex-
driver.

At that point, when the platters have been exposed, you're basically done,
feel free to scratch them up or smash them with a hammer.

Frankly, having read about this, a once-over pass with dd if=/dev/zero
of=/dev/sdX is going to be enough to destroy all data anyway. There is no
instance I know of that the theoretical data-recovery techniques proposed to
recover after that have been successful in practice, they depended on electron
microscopes and 90s platter densities.

~~~
mc32
I think you’re right that zeroing is effective with today’s densities but it
lacks visual evidence that gives confidence a policy was executed properly.

Also with defective drives or S.M.A.R.T. failures it’s easier to meet the
requirements by physically destroying the medium.

~~~
Nursie
True!

------
bobthepanda
If you want something done right (like making sure your data is no longer on
someone else’s hard drive), you should really do it yourself.

Zeroing filling a hard drive isn’t hard.

~~~
viraptor
But also not really guaranteed to do what you want in case of SSDs. It may. Or
it may get optimised/balanced leaving lots of data behind.

~~~
washadjeffmad
Years ago we settled on using block device encryption for all flash storage
and then destroying the headers or revoking all keys.

This satisfies the infeasibility requirement of NIST SP 800-88 without relying
on flash vendors to have appropriately implemented ATA command standards like
secure erase, which almost none fully do.

~~~
zmix
This destroys the filesystem, but not the physical disk, right? I mean, will
the SSD be usable after that, albeit, by installing a new filesystem and
reformatting?

~~~
washadjeffmad
Correct. It's not like when degaussing wipes the track information from a HDD.

This is also as opposed to relying on the self-encrypting feature on most
modern flash. Whether you're dealing with high enough asset value to warrant
this level of interest or are just beholden to the same standards, you should
reach out to your flash vendor for clarification.

------
blondin
off topic -- it made me happy to see a news paper from japan and in english
too. i browsed around to see what they were covering and even if the news was
gloomy, it was somewhat refreshing to see another perspective on what's going
on in the world.

~~~
mpiedrav
There's also The Japan Times [1]. Several non-English speaking countries do
have at least a newspaper in English [2].

[1] [https://www.japantimes.co.jp](https://www.japantimes.co.jp)

[2] [https://en.m.wikipedia.org/wiki/Category:English-
language_ne...](https://en.m.wikipedia.org/wiki/Category:English-
language_newspapers)

~~~
mikekchar
What follows is a completely biased opinion, but I don't really have a high
opinion of The Japan Times. IMHO they have an editorial slant that tends to
cater to the foreign reader's biases rather than reporting news from a
Japanese perspective. Like all newspapers, it's a mixed bag and there are
often well written and insightful stories. However if I were looking for a
place to stoke my confirmation bias for common misconceptions about Japan, The
Japan Times would be the absolute first place I would look.

The NHK world news linked in the original article is probably the best place
to get Japanese news from a Japanese perspective in English, but you also have
to be a bit careful. While the NHK is very similar to the UK's BBC in many
ways, news stories are frequently very soft on government policy. So it's sort
of the opposite of the Japan Times ;-) The quality in general is much better
IMHO, though.

If you don't mind relying on Google Translate (which is getting quite good
these days) the TBS news website is very good:
[https://news.tbs.co.jp/](https://news.tbs.co.jp/) There is video for most
stories and a transcript written under the video. This is actually what I used
for studying to learn to understand the news. The quality of the stories vary,
but they make a good counterpoint to the NHK. Keep in mind that all Japanese
news offices tend to have a cozy relationship with the government, so you need
to keep your mind open.

If you have an interest in Japan, keeping abreast of these Japanese news is
useful as I have found numerous blatant errors in foreign reporting of Japan
-- sometimes to the point where they translate something a Japanese official
says exactly the opposite to what they are saying. I don't think this is true
only of Japanese news either. World news is full of shenanigans and it really
is an eye opening experience to follow the news from the perspective of a
different country/culture.

------
C14L
There should be no need to wipe or zerofill the drives. They should be full
disk encrypted from the start.

------
ossworkerrights
I am curious why they chose to rent them instead of buying them, and how many
times over they paid their price by doing so?

~~~
pizza234
The leasing model (it's not 100% certain from the article that they have been
leased) may make sense for disks, if the idea is that after some time they
must be necessarily replaced.

Assuming they were leased, since the client returned them (instead of
purchasing them), physicial space may have been a reason.

~~~
ossworkerrights
Wouldn't it mean that the lessor would be allowed to sell the drives? I mean
if you rent them out, and they are handing the goods back would you just
destroy them? Something doesn't sound right here.

~~~
agustif
Well recycling heavily used disk drives sounds more like waste disposal, I
mean who can you sell that shit and get away with it? Maybe give em away if
they work, idk.

------
notadev
Likely unrelated, but Kanagawa prefecture is home to a large US Navy base in
Yokosuka city. A lot of military and US government employees likely have some
of their data somewhere on those servers.

~~~
jki275
I'm hoping this isn't the case as I spent a lot of years there. Most of us had
little contact with the local government -- road tax was the only thing we
were liable for to the local government.

Well anyway, the US Government has managed to export all my personal data
multiple times anyway, this can't be worse than that. The most they'd ever be
able to get out of the Kanagawa government is the address where I lived when I
was there and probably the license plate to the car I had.

