Short answer: No.

For the long answer, read on below.

Long answer: Nooooooooooooooooooooooooooooooooooooooooooo.

The problem with most operating systems is that they are generally designed with eye candy, simplicity, ease of use, robustness or speed in mind. Security has never really been prioritized¹⁾. 

There ARE tools for the secure deletion of files. Eraser is one such tool (and there are many more). Eraser wipes the blocks that your file occupies multiple times.

The problem is that your data may well live in other places aside from the designated blocks on the hard drive. If the data was read by a process that is paged, your page file may contain a copy of the data. If the filesystem layer decided to move your data around on the physical disk for some reason then the original location will not be overwritten. If you’re using a journaling file system, your data was probably written to the journal before going to the final blocks. If you’re using an applications such as MS Word, multiple temporary doc-files may be spread out all over your disk. These temp-files are never overwritten, only “deleted”. Many temp-files are also never even deleted automatically.

Wiping the “empty space” is a first step. Eraser has such an option. But wiping empty space will only remove deleted temp-files and moved files. Your information might still be in the page file, in your Journal or even in temp-files that have never been deleted.

There is no 100% guarenteed method to delete individual files. There are good methods and not-so-good methods but none that are NSA-proof. The only way to be sure is to take off and nuke the entire site from orbit.

1)  Yes, there are operating systems that are more focused on (different aspects of) security than others. Like Windows Vista, for example – the most secure operating system ever! Seriously, though, the i5/OS comes to mind. So does Anonym.OS (although it leaves much to be desired regarding stability). And OpenBSD isn’t crappy either.

The reasons for wanting to wipe a hard disk drive are many:

• You might expect a visit by NSA-SCS.
• You might suspect a rootkit infestation.
• You might wish to sell your old computer or throw it away and you don’t want your anyone else to get a hold of your private data ¹⁾.
• Same as above, only for companies, hospitals, law firms or anyone else with legal obligation to prevent the spreading of sensitive data.
• You’re simply paranoid.

Whatever your reasons are, you need to make sure that the data that used to be on your hard drive are gone, hence the need for a disk wiping tool.

But as mentioned in my previous post, wiping tools – that is; block erase wiping tools (BEWTs) – have certain limitations:

• Hidden data areas (HPA/DCO) might not be wiped, possibly leaving rootkits in place (although probably non-functional).
• Blocks marked as bad by the hard drive itself are not wiped (blocks marked as bad by the operating system only will be wiped). This information is possible to recover using exotic forensic techniques ²⁾.

In addition to these two previously mentioned limitations, the following apply:

• When data is overwritten (block erased), the old data on the hard drives might leave magnetic information on off-track areas of the hard drive. BEWTs have no way of erasing this off-track information. This information is theoretically possible to recover using exotic forensict techniques. ³⁾
• On modern, high-capacity drives, multiple overwrites are no more effective than a single overwrite. ⁴⁾
• BEWTs are suseptible to malware attacks. ⁵⁾
• Using BEWTs takes time. Following the old DoD 5220.22-M directive of 3 consecutive wipes might take as much as 24 hours on a 250GB disk. BEWTs can exceed the DoD standard and wipe a drive as many as 35 times, leaving the computer used for wiping non-operational for weeks.
• When you’ve run a BEWT, you have little posibility of verifying that a complete wipe has taken place; that all user accessible areas has been wiped. You’ll have to rely on the information that the BEWT gives you.

Enter Security Erase
Lately there’s been some hype about the relatively new ATA command addition called Secure Erase (part of the ATA Security Feature Set), from now on refered to as “ATA-SE”. ATA-SE is an ATA command (SECURITY ERASE UNIT) built into hard drive firmware that, if executed, orders the hard disk drive to wipe itself. Using software similar to BEWTs (boot disk with an ATA command program) you can trigger this built-in function, wiping your hard drive. Alternatively, you can use the same program to simply lock the hard drive rendering it useless, so that only a wipe (or providing the correct password) can unlock the drive to make it usable again ⁶⁾. If you have a disk drive produced 2001 or later (with a capacity of 15GB or higher) there’s a 99% chance that your hard drive implements ATA-SE.

But what’s the hype about?

This article by ZDNet writer Robin Harris, for example, incorrectly portrays ATA-SE as some magical solution to disk security. Mr. Harris is not really at fault, though, since his article is based entirely on this paper [PDF Warning] called “Tutorial on Disk Drive Data Sanitization“. In the paper, Dr Gordon Hughes⁷⁾ at Center for Magnetic Recording Research at University of California, San Diego and Tom Coughlin⁷⁾ of Coughlin Associates lists the various faults of block erase methodology in a such way that poor mr Harris is led to believe that ATA-SE solves all these problems. This is unfortunately not the entire truth. Let’s review!

• In the paper, the reader is led to believe that wiping the HPA/DCO is inherently difficult using BEWTs and inherently simple using ATA-SE. This is not the case. Wiping HPA/DCO is a tool implementation problem, not a wipe methodology problem. Some BEWTs (such as Blancco) implement HPA/DCO wiping by default, other tools could allow the user to chose whether or not to wipe HPA/DCO while other tools are not able to wipe HPA/DCO at all. The same principle would apply to ATA-SE tools. The ATA-SE tool “HDDErase” allows the user to chose whether or not to wipe HPA/DCO.ATA-SE is not superior to Block Erase on this point.
• In the paper, the reader is led to believe that ATA-SE can wipe the off-track areas of the HDD platters while BEWTs cannot. The actual phrasing in the paper is:”It is difficult for external software to reliably sanitize user data stored on a hard disk drive. [...] Off-track overwrites could be effective in some drives, but there is no such drive external command for a software utility to move heads offtrack.“While it is certainly true that BEWTs cannot write to off-track areas, ATA-SE cannot overwrite off-track areas either. ATA-SE does a single on-track erasure of the data on the disk drive.ATA-SE is not superior to Block Erase on this point.
• In the paper, the reader is led to believe that BEWTs are inherently more suseptive to malware attacks. This is, to the best of my knowledge, simply not true. If you want to read my view on this point, see footnote number 5.As far as I know, ATA-SE is not superior to Block Erase on this point.
• In the paper, the reader is led to believe that ATA-SE is significantly faster than Block Erase. While speed is not a security issue per se, I agree that the more time-consuming a wipe is, the less likely will it be that users will wipe their disks, so I’ll adress this issue as well. On this one, the good doctor is comparing apples and oranges. While he claims that a single overwrite is not less secure than multiple overwrites he still compares a single ATA-SE overwrite to multiple Block Erase overwrites. Still, a single ATA-SE wipe will be faster than a single BEWT wipe.ATA-SE is only slightly superior to Block Erase on this point.
• In the paper, the reader is led to believe that blocks marked by the hard drive itself as bad are not wiped wiped by BEWTs while they ARE wiped by ATA-SE. This claim is true. Blocks marked as bad by the hard drive itself (g-list blocks) are wiped with ATA-SE. This is impossible (or very difficult) to achieve using BEWTs.On this point, ATA-SE is superior to Block Erase.

Not emphasized in the paper (to my surprise) is the fact that ATA-SE provides much more reliable feedback regarding the wiping of the disk. If the hard drive successfully wiped the drive it will say so. If anything went wrong; not only will you know that it went wrong, but the drive cannot be used until a successful wipe is completed. This provides the user with a whole new level of feedback. The malware threat is not eliminated, though – read footnote 5.

Summary:
ATA-SE methodology is superior to Block Erase methodology due to ATA-SE’s ability to overwrite bad blocks, due to it’s reduced time demand and due to it’s improved completion feedback.

When should you use ATA-SE and when should you use block erase? If you’re in a hurry, is a “hard disk lock” sufficient?

Let’s start with the disk lock question. Disk lock as a means of security should only be used for strictly non-sensitive data! Locking the drive does not erase any data and the disk lock can easily be circumvented by any of the thousands of disk recovery companies around the world ⁶⁾. While it is more secure than just “deleting the files” or formatting the drive, it is certainly not sufficiently secure for any degree of sensitive data.

How about ATA-SE wipes vs BEWTs? Well, for SCSI drives you don’t have much choice but to use BEWTs. Even though the SECURE ERASE UNIT can be implemented in SCSI disks as well as ATA disks, no SCSI disks have – to the best of my knowledge – implemented this function yet. When it comes to ATA disks, however, I believe BEWTs pretty much have played out their role. ATA-SE will take over the role of disk wiping (especially when the next version of MS Windows implements direct access to ATA-SE along with the format command, as my magic 8-ball said it will). ATA-SE is just as good as BEWTs - or better - for home users, hospitals, law firms and the like. Even government agencies should use ATA-SE, provided that the data that needs to be wiped is of a low-sensitive nature (yeah, now I’ve given the recommendation, not just some obscure government institute ⁸⁾).

However: remember that data CAN (probably) be recovered from a drive wiped by ATA-SE. Granted, the level of expertise and equipent is high and time committed is huge – but it CAN (probably) be done. With high probability the NSA have this capability, as well as intelligence agencies in other countries, such as China, Russia, Israel, France, UK, Germany, India and others. If you have information that you need any of these agencies NOT to see, then ATA-SE is not sufficiently secure. In addition to wiping the drive with ATA-SE you will have to use some physical destruction method ⁹⁾.

Of course, if you’re anything like me you’ll use both ATA-SE and Block Erase for your sensitive data, then yanking the platters from the drive, grinding the surfaces and bending the platters. Then melting the platters in a burning furnace and taking a boat to somewhere in the middle of the pacific ocean and dropping the furnace overboard. Then having NASA hurling the Pacific Ocean into the sun. Then making God destroy the universe.

It all depends on how paranoid you are.

—————————————————–

Epilogue: In a related post I will be writing about “wiping” hard drives using built in HDD level encryption. But I’ll write about encryption basics first. And the general concept of HDD-based disk encryption. I think.

Also, note that ATA-SE in itself (paired with incorrectly written BIOS) poses a malware/security threat. But that’s a whole other story.

—————————————————–

1)  In 2003, Simson Garfinkel and Abhi Shelat at MIT bought 158 used hard drives at secondhand computer stores and on eBay. 129 of these drives were functional. 69 of these still had recoverable files on them. 49 contained “significant personal information” including medical correspondence, love letters, pornography and credit card numbers. One of the disks even had transactions with account numbers from a cash machine. 51 of the drives above had been formatted, yet 19 of those still contained “easily” recoverable data.

2, 3) There are literally thousands of data recovery companies around the world that can perform “normal” forensic techniques:  replacement of the firmware or the electronics board or cleanroom replacement of the spindle motor, base casting, head stack, etc. These techniques all rely on the hard drive’s own hardware (or replacement of equivalent hardware) for retrieving the user data from the drive. Any recovery from the disk platters when the platters are outside the drive’s normal environment are referred to as “exotic forensic techniques”. The number of commercial players are few, if any; the techniques require expensive equipment (such as scanning magnetic force microscopes), sophisticated decoding algorithms (since the data recovered from the platters are encoded – and each hard drive will have a unique encoding) and vast amounts of time (scanning each sector multiple times, calculating averages and assembling the scanned sectors into decodeable blocks) and are not commercially viable. The only organizations who are likely to be able to perform such operations are government signal analysis agencies, such as NSA-SIGINT, and even they will be limited in the number of cases per year.

4) A study made by Center for Magnetic Recording Research at University of California, San Diego indicates that multiple overwrites do not provide any significant improvement in data remover over a single overwrite. A single overwrite provides more than sufficient wiping of the information to prevent the information from being recovered by normal forensic methods.

A paper on the CMRR study can be found here: http://www.tomcoughlin.com/Techpapers/Secure%20Erase%20Article%20for%20IDEMA,%20042502.pdf

The study was led by Dr. Gordon Hughes and Tom Coughlin (see footnote 7).

5) There are really only a few ways that malware could attack a block erase tool such as DBAN, ExpertEraser, Killdisk or Blancco. They all boot from a CD, floppy or USB memorystick, loading their own operating system into RAM before starting the wiping process (presumeably all with the ATA command WRITE SECTOR(S) (EXT)).

Given these facts, there really aren’t that many ways malware can interfere with the process. The most likely way is for the boot CD/floppy/USB to be infected (another theoretical method is by a BIOS rootkit).  If you downoload DBAN and run the LiveCD, you really have no way of knowing whether it really does what it says it does. The CD will boot, the program will start and the message on the screen will inform you that a wipe is underway. Theoretically, if the DBAN LiveCD is infected by malware, the program could do NOTHING, only pretending to wipe the disk for two days, then tell you that the disk is wiped. If vital parts of the file system is destroyed (by simply formatting the drive) you have no way of telling whether the drive has been wiped or not – unless you turn the drive over to a disk recovery company for analyses. This infection is fairly easily implemented using rootkit-like system hooks.

Now, the same method would work for any tool implementing ATA-SE wipe. With ATA-SE you boot from your own DOS boot disks and run the HDDErase program. If the HDDErase tool was infected with malware the tool could behave like the above example. The program would tell the user that a SECURITY SET PASSWORD is being set and that a SECURITY ERASE UNIT is being performed, when in fact only a standard disk format is being performed.

My conclusion is that BEWTs and ATA-SE have the same level of risk of being twarted by malware (and a very small one at that).

6) According to ATA standardization organisation T13 and HDD manufacturers,  a locked drive cannot be unlocked again without the correct password – neither by the drive manufacturers themselves or by anyone else. The aforementioned data recovery company Ibas has proven this to be a big fat lie ^{a) b)}.

7) Dr. Gordon Hughes is the Associate Director of the Center for Magnetic Recording Research at the University of California, San Diego. Tom Coughlin is President of the data storage consulting firm Coughlin Associates.

Dr. Hughes and Mr. Coughlin were involved in the invention of the ATA-SE command and were involved in the adoption of ATA-SE into the ATA standard by the ATA standardization organisation T13.

8) The single overwrite ATA-SE method has been recommended by the National Institute of Standards and Technology as the standard method for erasing ATA hard drives at a “purge” level (the three levels are “clear”, “purge” and “destroy”). The new NIST 800-88 [PDF warning] standard (Guidelines for Data Sanitation) has replaced the old DoD 5220.22-M standard (National Industrial Security Program Operating Manual).

9) Bending the platters is one of the most effective destruction methods available; preventing even exotic forensic recovery. As little as a millimeter of bending makes all forms of practical recoverability impossible – even though the data is still theoretically intact.

On this particular PC 100% data was recovered.

What’s this got to do with you, you ask? Or with Gawd, for that matter?

Well, if you have sensitive data that you do not want anyone to find, let alone be able to read then companies like Ibas (or NSA, for that matter) are your worst nightmare. If the data has ever been stored on your computer these guys can probably find it. Pressing “Delete”, formatting the disk or using “fdisk” or similar tools will NOT do the job. If you have data that you want to get rid of, you need something serious.

Hence the God analogy - Ibas know how to treat the data so that they themselves cannot recover it. Enter: ExpertEraser

ExpertEraser (EE) is a tiny piece of software that “wipes” (Block Erase) your hard drive so that Ibas or similar companies (including NSA) cannot recover the rata that was once stored on the disk. EE runs from a bootable floppy disk or CD, it is not installed on your hard drive. It works as long as you can boot from a floppy drive or a CD, regardless of whether you have a PC or Mac, Unix, Linux, DOS, MacOS or Windows; whether the drive you want to wipe is formatted as FAT, NTFS, HFS Plus, ext, HPFS, etc.

I’m not too big a fan of EE, though: it is closed source, which means that you have no way of knowing what it really does. In addition, Ibas collects information about your wipes (if you want to “refill” your license). These two factors makes for a bad combination. A great, and gratis, alternative to EE is the open source software DBAN (Darik’s Boot and Nuke).

DBAN, just like EE, is a disk wiping tool that does the job thoroughly. They’re both small, bootable and secure (although anything but fast; a secure wipe of a normal-sized disk will take many hours, up to days). They both exceed the requirements set by the Department of Defense (DoD 5220.22-M). http://www.killdisk.com/ is a third alternative, although not open source.

There are also tools that let you delete individual files in Windows, Linux, Unix or MacOS. Such tools will be discussed in another blog post. There are also alternatives to the slow block erase method that these tools use. I will discuss these methods in a later post.

A word of warning about wiping hard drives: What you do not know might kill you.

There are limitations to disk wiping tools. Modern hard drives will automatically mark bad sectors of the hard disk as “bad” and the hard drive will not allow write access to those sectors. DBAN, for example, is not able to wipe sectors marked bad by the hard drive. Whether or not this is the case for ExpertEraser I do not know. There are ways around this limitation, but they require a lot of work.

In addition to the bad sector problem, there are parts of the hard drive that is usually hidden from the normal user; the HPA (Host Protected Area) and the DCO (Device Configuration Overlay). The HPA is sometimes used by PC manufacturers (such as HP or Dell) to hide recovery tools for easy recovery of the operating system. The HPA could also be used by rootkits to hide themselves from anti-rootkit tools. The DCO was originally intended for storing power management features, but it is otherwise similar to the HPA and might be used to hide rootkits or other data. DBAN does not wipe HPA/DCO while Active@Killdisk do. If you really wish to wipe your hard drive, for example if you suspect that you computer has been infected by a rootkit, you should use a bootable Linux CD to remove the HPA and/or DCO (make it part of the normal hard drive space) before wiping the hard drive.

The HPA might also be used by you to hide data that you do not want others to find. This will probably work if you’re trying to hide the data from your wife, but will certainly NOT work if you’re trying to hide data from NSA. Hiding data in the HPA is like writing with invisible ink: it’s not plain to see, but will not hold up under scrutiny.

There’s only one way to really hide data from peering eyes: strong cryptography. And even with cryptography what you don’t know might kill you. But that’s for another blog post.

1) Yes, I know that the external apperance of a PC is not related to the difficulties of retrieving data from a HDD (which is usually something as unsexy as replacement of the firmware  or the electronics board or cleanroom replacement of the spindle motor, base casting or head stack) – but it’s still cool.

If you’re not already a supporter, you might consider becoming one.

Anyway, today’s blog post is about their list of privacy tools. It’s certainly not a complete list, and they’re not doing anyone any favor listing Skype under “Voice Privacy” and “Secure Instant Messaging” (since Skype is Evil^tm), but the list is a great compilation of good tools.

Check it out here: http://www.epic.org/privacy/tools.html

But do I trust Google Inc. to do no evil, to know everything about me; every aspect of my life – and not misuse that information, today and in the forseeable future?

Maybe I’m being Ultraparanoid™, but I’d have to say ”NO!”.

”But Google doesn’t know everything about me”, you say. Well, let’s take a look at what Google DO know (or may know), shall we?

If you use GMail, Google reads all your mail. If you use Google Desktop, Google reads every document on your computer. Just those two are enough to give me the creeps. But it gets even worse – a lot worse!

If you use Blogger, Google knows what you’re passionate about. If you’re logged in to GMail or Blogger while searching for something on Google search engine, Google knows what topics you wanna know more about; that is: connecting a search result to a specific person. Google knows what things you’re buying. With the recent purchase of Doubleclick, Google can follow you around as you surf, knowing everything you read about on the Internet.

So, do you trust Google Inc. to not misuse all this information you’re giving them? I sure as hell don’t. In fact, I don’t think you’d have to be Ultraparanoid to see trouble here.

Fortunately, I’m not the only one concerned^{1) 2)} with Googles rising electronic omnipotence…

Also, as I’ve previously stated: Ebay/Skype is evil, and Google recently made a deal with eBay to integrate services wich send shivers down my spine. Just imagine combining the staggering electronic surveilance of Google with the communications nightmare that is Skype, bundeled with NSA snooping and you have a Big Brother Bonanza.

Then again, what is evil?

So what can you do to avoid this hell?

Well, I for one do not use GMail. I never will. I will never let a search engine/advertising gigant read my mail. Never. Did I say never? I meant NEVER EVER. Even more so, I will never let any company read all the documents on my computer. I don’t even trust the company I work for read all my documents, why would I give that trust to an international conglomerate? I use Blogger, but I log onto Blogger with another browser than I use for day-to-day browsing and research. I now use WordPress. This still stands, though: using Internet Explorer, Firefox, Opera and Safari for different taskt can do wonders for your privacy.

And I don’t use Skype.

You: I’ve found a way to communicate with my friends and my family in a secure fashion!

Me: Wow, that’s great. Tell me more about it.

You: It’s a voice-over-IP program with chat functionality.

Me: Sounds nice, but how exactly is it “secure”?

You: It encrypts everything with a 256-bit EAS algorithm – it’s unbreakable!

Me: Yes, 256-bit AES is a strong algorithm. Did you make sure to choose a long and complex passphrase when generating the master key to keep the implementation of the encryption as strong as the algorithm lets you?

You: Huh? Skype fixed all that stuff for me.

Me: So Skype decided what encryption master key you use?

You: Yes.

Me: Doesn’t that mean that Skype can decrypt your communication and eavesdrop on your conversations whenever they want?

You: I guess… But they probably don’t have the resources to eavesdrop on me or anyone else; Skype is a small, Swedish company. Besides, what interest would they have in eavesdropping on me or anyone else?

Me: That’s not entirely true, but let’s get back to that later, and answer this: what if Skype gave the encryption key to someone who DOES have the resources and the incentive?

You: Like who?

Me: Like for example the National Security Agency?

You: Why would the NSA want to eavesdrop on my conversations and chat sessions?

Me: Most likely, they couldn’t care less when you’re talking to your mom about her doing your laundry next Saturday, but the NSA are responsible for the collection and analysis of all foreign communications. That includes your calls and your chat sessions ¹⁾.

You: But Skype is a European company, governed by European rules and regulations which prohibits them from releasing sensitive information to any foreign intelligence agency; they wouldn’t do that.

Me: Na-uh. Skype was recently bought by eBay and all the Skype servers ²⁾ are now located in the US, which makes eavesdropping by NSA not only possible, but in fact probable. The NSA already has free access to phone calls and internet traffic routed through “normal” telephone companies /ISPs. It is only natural that they would want to do anything possible to get the hugely popular Skype communications platform under their control as well. After all, a wide-spread, easy to use, uncontrolled encrypted communications platform free for all to use is a HUGE threat to the effectiveness of the NSA. Controlling Skype has the added bonus of being able to eavesdrop on communications between foreign targets previously hard or impossible to reach. For example, a person in Germany, talking to a person in Russia using land-line phones would previously have been out of reach for NSA. The same two persons using Skype are now available for eavesdropping. In addition, the average Skype user will most likely treat the program as being trustworthy (just like you do), having bought into the Skype propaganda of the program being impossible to intercept or eavesdrop. So I have no doubt that the NSA have a great interest in getting their hands on a backdoor into the program. And if the NSA can force every telco in the USA to comply, they could certainly have no problem forcing eBay to do the same. Not that it would come to this, eBay is notoriously known for not respecting the privacy of its users.

You: I am shocked, shocked to find out that espionage is going on in here ³⁾!

Me: Now, let’s take a look at the eBay purchase of Skype in the first place. Why would eBay buy Skype? Granted, there are some potential benefits from a customer viewpoint, such as easy communication between buyer and seller. In addition, eBay might want to keep track of their customers’ online time and habits; something an IM client would be able to provide, but seriously: Skype has no real revenue potential. Skype’s business model has long been questioned by many economists. The software is gratis and the calls are mostly gratis. Although there is a line of hardware as well as services for money, there really aren’t that many ways for Skype to make money. There aren’t even any ads to gain revenue for Skype. So where does Skype get the money from, or rather: why in the flaming red hell would eBay want to haul out $2.6 BILLION for Skype? My guess is: they wouldn’t. There is no short term profit in Skype. There is most likely little or no long term profit in Skype. If Skype ever produced enough dough for eBay to break even on the buy I would be baffled. Did eBay really pay $2.6 billion for something that will never even break even? Perhaps. Or perhaps the executives at eBay are so bold as to stick that amount of cash (and stock) on a long shot? Or perhaps they see some potential that us mere mortals cannot see? Or perhaps there is a second buyer, helping eBay finance the purchase? Do I know that NSA helped fund eBay’s purchase of Skype? No, I certainly do not.

What I DO know is:

• eBay has no obvious reason for buying Skype ^{(granted, this being my weakest point)}; certainly not for $2.6 billion.
• eBay has a history of handing out extensive user information to government officials without any subpoena or court order at all.
• Skype has done everything in its power to make it impossible ^{(warning: link to big PDF)} for anyone to verify the encryption implementation or whether there are any backdoors in the program.
• Skype is known to behave in a suspicious manner, for example collecting BIOS and motherboard information – information that a VoIP/chat program has no legitimate use for. Or imposing artificial limitations based on CPU vendor.
• Skype has time and again refused to discuss Skype security issues, phone records and Skype interactions with law enforcement.
• NSA has a duty to monitor as much foreign communication as possible.
• Skype has been (presumed to be) a huge thorn in the side of NSA.
• NSA has a secret budget. Its size and its uses are unknown.

All these facts would, in a court of law, be called “circumstantial”, but putting two and two together, I wouldn’t use Skype for anything sensitive. At least not for something I wouldn’t want NSA to know, and perhaps not for anything I didn’t want a random competing US company to know either ^{(Warning: PDF document. See point 10.9.2)}.

You: Well, I’m an American, so it’s illegal for NSA to spy on me!

Me: Yeah.. Dream on.™

You: Well, I’m not a terrorist, so they won’t be interested in me at all!

Me: If you accept sacrificing your privacy, that’s your choice. But just because you haven’t done anything wrong doesn’t mean they won’t watch you.

This transcript of a Skype conversation was brought to you by NSA – your friendly neighborhood Big Brother™.

1) The Foreign Intelligence Surveillance Act (FISA) of 1978 prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between or among “foreign powers”. Even though the act specifically forbids spying on US citizens without a court order, it can be argued that it is impossible to separate domestic internet traffic from non-domestic internet traffic. Therefore, in order to be able to monitor foreign internet traffic, one must monitor ALL internet traffic. Besides, the U-SAP-AT-RIOT Act of 2001 largely removes the public protection that existed in previous laws. If that wasn’t enough, GWB has shown us that rewriting the law on-the-fly as he sees fit is just as fun.

2) Yes, Skype is a peer-to-peer software, as opposed to a server-client model, but the software is not self-certifying which means it needs to connect and login to a centralized Skype server to certify each user’s public key.

3) My apologies to Julius J. Epstein, Philip G. Epstein and Howard Koch.

“a memory stick that will self-destruct after an incorrect password has been entered more than a set number of times”

Turns out that the stick is neither self-destructing nor secure, and that the French intelligence service should be very, very, very ashamed of themselves.

Thank God for hackers.

Update, april 19:th, 2007:
Apparently, renown IT security expert Bruce Schneier came to the same conclusion that I did.

However, a photo taken by myself with my digital camera can tell you

• when the picture was taken,
• what camera make and model I used,
• what software I used to download the picture to my computer,
• when the picture was modified and
• what software I used to modify it.

If I’m using one of these GPS-enabled devices, you can even find out exactly WHERE I took the picture.

If you have one of those fancy new digital single-lens reflex cameras (e.g. Canon Digital Rebel) you’ve probably registered your camera with the manufacturer (Canon) for bonus crap, haven’t you? And since the “Camera Body No.” is stored in the EXIF information, the people at Canon (and NSA, if they want to) know what pictures YOU took (or someone using your camera).

Normally, EXIF is a Good Thing^TM. The GPS camera, for example, was created to enable you to let your friends know where (and when) you took the picture. But as usual: beware of what you reveal to strangers. If tinfoil is your friend, you might want to remove that EXIF information before giving the picture to the entire world, without ever being able to remove it…

The simplest and best tool I’ve encountered for removing EXIF information is “Exif Farm“.

Unfortunately, EXIF Farm costs money (the demo sucks ass). However, there are numerous other tools available, including some Open Source ones.