- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Say, where does that paper say that you can´t do it? I think I must have missed the point of the paper somewhere. I thought it described in detail that you can do it, and how you can do it, and how you could (theoretically) prevent it (at least in 1996)...
Admin
And since no one has made the obvious joke yet, the loops really run in O(0) time.
Admin
Admin
Admin
AIUI, the paper says that you might be able to recover data if it's just overwritten once.
But, no one, ever, has claimed to be able to do it. Certainly data recovery companies don't claim to be able to do it.
I suppose some secret government organisation might be able to do it, but they've never presented any of their recovered data as evidence anywhere, so we don't know.
See http://www.nber.org/sys-admin/overwritten-data-guttman.html as an example of a 'rebuttal' of Guttman's paper. http://www.actionfront.com/ts_dataremoval.aspx#Re-Formatting is applicable as well.
Admin
Read the damn paper.
Before you make a fool of yourself.
Start with section 7, why don't you?
Admin
TRWTF is in the comments, as usual. The loops... well, they don't loop. As has been stated repeatedly, check the loop condition.
Of course, since you don't seem to have read the rest of the thread, I'm guessing you won't read this, either...
Admin
Your proof that data can be recovered from a formatted drive is totally irrelevant, because formatting the drive doesn't write over your data.
Admin
Because the loops in his post DID loop. And ARE O(n).
And were the context for my post. Which is why it was quoted.
Everyone knows that the loops in the original post don't actually execute. The thread had moved beyond that.
Admin
The gutmann paper also mentions that you can't degauss a modern hard drive. They passed the point of requiring more power than the total generating capacity of human civilization a while age; easier to just physically destroy them.
I suspect the idea was based around a full format, the question wouldn't make any sense otherwise.
Admin
Can you explain WTF relevance this has to the question of zeroing data out in RAM?
Can you show where I did that? No? You can only cite strawman arguments? That's what I thought.Admin
Dear DaveK,
You really should read the entire post before you go shooting your mouth off at some guy who's writing a fairly funny parody of a 419 scam attempt.
Most serious, professional posters do. Apparently you zeroed out your temporary memory before starting your reply.
Admin
Wow, this is one of those WTFs that really catches you off guard. Well, it caught me off guard, anyway. Here I was thinking that it was just a "Oh, that's just silly" kind of WTF. But then I read the comments and saw the punchline. Awesome.
I wonder if maybe the original programmer knew exactly what he was doing. Management probably mandated this kind of "security," but the programmer knew it was stupid so he "mistyped" the > signs. I mean, really, what C programmer would mistype something like that... twice? You'd have to go out your way to use >. < is used almost exclusively in every other for loop.
Still awesome though, if only as a subtle "FU" to stupid management.
Admin
"they encrypted the IP-address when it was passed between functions using XOR encryption."
Does this mean they tried to "encrypt" the parameters to every function call in their code? Unless I misunderstood it, that's the most ridiculous WTF.
Admin
You know, between this post and how you jumped on the guy with the 419-scam joke, I think you and Gutmann must be lovers or something. It's the only explanation I can think of for you taking comments about the paper he wrote personally.
Admin
Just imagine that: neo takes the red pill and escapes the matrix just to find that it is running in a VM an he's now in the host matrix 0.o
Admin
Even a "full" format doesn't overwrite any data sectors. All it does is scan for bad ones. You might be thinking of a low-level format. Back in the 80's, you could do that through the BIOS, but even then, all you were doing was writing sector numbers to the tracks. Nowadays, that is done at the factory, and the HDD has a much more limited interface.
The process of zeroing out a drive completely is called "reinitialization." No standard formatting routine does a full reinitialization at the same time, but there are plenty of utils available from both manufacturers and third-parties that will do this.
Admin
Tsk tsk... such typical knee-jerk reaction... think about what you are doing man, throwing away the ability to do large numbers of iterations by using short...
Might I suggest using a float... you get the best of both worlds, neatly avoiding the O(n) issue, and also allowing for a truly massive number of iterations ;)
Admin
I bet this was an intelligent programmer who was doing his part to aid the resistance to idiocy inside the company. His PHB probably insisted on such foolishness, but couldn't read the code.
Admin
These days it's off by default because (good) modern hard drives handle bad blocks themselves, it takes forever, and in most cases isn't needed as a simple read will discover bad blocks.
Note that AFAIK, the DOS format command doesn't provide an option for this. Ext2 does as part of its tool, and I expect other third-party utilities will as well, despite it being mostly useless.
Admin
Oh for crying out loud. Do you have the faintest idea what the phrase you're using actually means? It would be a PKB if I hadn't read the paper. I have read the paper. Therefore it's not a PKB. What /were/ you thinking of?
Admin
That was the obvious joke in the first place, although he called it O(1) instead of O(n). The WTF is that someone actually corrected it, complete with a long lesson about O(n) complexities.
Some people need to leave the asperger's at home before coming here...
Admin
[quote user="Bob N Freely"][quote user="foxyshadis"] The process of zeroing out a drive completely is called "reinitialization." No standard formatting routine does a full reinitialization at the same time, but there are plenty of utils available from both manufacturers and third-parties that will do this.[/quote]
Mac's disk utility has the option. It can do a zero out, a 7-Pass erase, and a 35-Pass erase when formatting.
Admin
OK Dave, but you haven't explained why you quoted a post that was making fun of the "some technology" line in the original article (with allusions to 419 scams) and then started ranting about something ENTIRELY UNRELATED. WTF?
Admin
So, you feel that the only reason two people would ever have the same point of view on a subject is because they're lovers? Does mrprogguy know that you feel this way?
That simply demonstrates your poor ability to think of explanations. Never mistake a failure of the imagination for an insight into necessity.
Admin
Dear mrprogguy,
You should really read not just the entire post, but the entire thread before you go attempting to correct someone. Context is everything. The parody was indeed funny, but misbegotten, because it starts from the assumption that there is no need to zero data in memory because it cannot be recovered; that is why the OP suggested that it would only be some kind of scammer or snake-oil-salesman who would say that it could be done. In the code, in the original post, the WTF that we are here to all discuss: the buggy typo in the for loop tests is indeed bad, wrong, WTFy and quite amusing; but the basic concept of zeroing your sensitive data in memory is most certainly not a WTF, and it is foolish to mock it.
Bwaaaaah! "Professional posters"? Is that the current euphemism for "people who spend all day on the 'net because they have no life"? Sure, I may misinterpret or misunderstand things or just be plain wrong sometimes. But I'd really rather be any/and/or/every kind of wrong forever than fall under the impression that being a "professional poster" was somehow a worthwhile way of life...
Admin
I /was/ talking about the "some technology", because the coder's concern that data in memory is vulnerable didn't seem as daft to me as it did to the guy who wrote the parody. See the middle chunk of my reply in http://worsethanfailure.com/Comments/It-Only-Seems-Redundant-and-Stupid.aspx?pg=L#165829 starting around the words "funny but misbegotten".
Admin
Admin
There was actually a time when governments thought multiple Caesar shifts made codes stronger. There was one guy in Spain (I think) who would "test" their codes, tell them they were unbreakable, then sell the secrets to other countries, who all thought they had unbreakable codes and that everyone else was just an idiot.
I still can't fathom how anyone could not notice that multiple Caesar shifts only return one of the 26 shifts you could have gotten singly.
Admin
As for overwriting values in memory: it is quite useless. As long as you had the value unencrypted once during execution time -- you are screwed. And erasing it immidiately after using will not help you much. Your usual cracker won't normally search memory for interesting patterns, he will stop you program right at the point where it is about to use the data in its final form and examine memory contents at his leasure.
No need for special hardware or anything (for PC software at least), just good debugger (SoftIce was popular last time I checked).
Admin
Bah, everybody knows that this is the way to cleanse a hard drive.
Admin
Dude... if a hacker has control of the physical box where the software is running, the only options are to use obfuscation techniques. Remember, if this is something that a hacker can run, he can very easily run it under full emulation, using Bochs for example. That lets him run a program stepping one instruction at a time, or put break points on memory locations, or on code locations. Running under Bochs he can have the (virtual) machine freeze when the program looks at a certain piece of memory, a register, a network port.
The only thing that helps with that is to use a strong obfuscating compiler to make it very difficult to trace WTF the code is doing.
In fact, this idiotic idea of writing over the memory 100 times makes the situation worse because then you can just rig Bochs to look for loops like that, and when it happens you have a) automatically detected where in memory the secret bytes are stored and b) it's trivially easy to grab them before the loop starts, because you can set a breakpoint at the top of the loop code! (Note that it's likely that the compiler would optimize away this loop, so the compiler might save these bozos from their own bozoness.)
So this "meticulous" security is not just redundant and stupid, it's actually making it easier for an attacker to get key bytes by making it bleeding obvious where those bytes are.
And my captcha is pointer, bleeding appropriate for this post.
Secure Postfix with TLS to prevent relaying
Admin
Admin
TRWTF is all these people saying they should have used memset or bzero instead. If they want to be secure, they should be using SecureZeroMemory instead.
Admin
The real WTF is my cat.
Admin
Admin
Admin
May I suggest:
#define medium int ... for (medium i = 0; i < 4; i++)
problem solved
Admin
Let me guess: On a recent project you touched a bit of security related code, so now you are an expert in the whole field.
Take an aspirin and have a lie down, before making yourself look even more ridiculous.
Admin
I'll have you know some of us do it to avoid work
Admin
Learn to spell.
Admin
Alot of hacks are based on hooking function calls.
Admin
It might be interesting at this point to look up the various talks given by the people who hack modern game consoles. (I trust most readers here are intelligent enough to plug "hacking the xbox" or something similar into Google Video and take it from there)
It really is pretty amazing what a small bunch of motivated people can do, and pretty amazing how horrible "security" some major corporations can come up with.
It'll also tell you what sort of people those "crackers who do it for a living" really are. They don't have electron microscopes for reading overwritten data off hard drives -- and they don't need to.
Admin
iNt i = 0; i < 4; i++) {And now you see N in the code?
Admin
Admin
FR1ST!!@!!`!(timesyouvebeenlaid+1)
Admin
Indeed. I was investigating something similar (trying to do a calculation 100,000,000 times in a loop to see how long each iteration took). I had to beat GCC with a stick to make it actually execute the calculation inside the loop--it kept trying to move the calculation outside the loop since the function was inline, its parameters never changed, I stored the return value in the same memory location, and there were no aliased pointers in scope.
Admin
I wonder how much room 2 GB of core memory would require.
Admin
Except that you can't stop iterating once you hit 8 million or so.
No, it's better to do this:
// trwtf.h typedef int imt; // trwtf.c #include "trwtf.h" // The "n" above doesn't count because it's in preprocessor code, not in the algorithm. for (imt i = 0; i < 4; ++i) {...}Admin
So...what you're saying is...that Quicksilver used O() notation correctly?