# High return from corporate hard drives



## justinhcase (Sep 16, 2014)

Has any one seen a higher potential return from a scrap hard drive??
https://nakedsecurity.sophos.com/2014/09/16/man-buys-old-servers-accuses-ernst-young-of-data-breach/
Very interesting .
Obviously searching hard drives for personal data so you can use it for illegal activity is a crime and the perpetrators should be hunted down and punished.
But detecting a corporate breach of security or offering to permanently destroy the data on a client's hard drive as well as we do when we process them may both be very good sources of extra income.


----------



## galenrog (Sep 16, 2014)

I actually have a CL ad up locally offering electronic data destruction. I get a lot of inquiries asking me to retrieve data. When I tell them I do data destruction, not data retrieval, they typically become confused. The few business customers that do understand what I am doing think I should charge more, since I am permanently taking care of a problem for them.


----------



## rickbb (Sep 16, 2014)

Hmmm, I should start charging for drilling holes in the platters then. I've been doing it for free.


----------



## Anonymous (Sep 16, 2014)

That's extortion Justin. Plain and simple. Regardless of whether the data was left on the drives or not. 

It won't end well for the guy.


----------



## GotTheBug (Sep 16, 2014)

I take a bit of the aluminum and make fire ant "sculptures". When purifying, I'll pour aluminum in to muffin pans, and use a muffin as an example of the "data destruction", telling clients I would challenge anyone on earth to retrieve data after I finish with the drives.


----------



## justinhcase (Sep 16, 2014)

spaceships said:


> That's extortion Justin. Plain and simple. Regardless of whether the data was left on the drives or not.
> 
> It won't end well for the guy.


Extortion is an crime and only an idiot would play such game's with entity's that posses an infinitely deep pocket .
Offering a back dated prophylactic service to an entity with an infinity deep pocket deep pocket would seem to be a better alternative.
May be developing a way to screen data storage unit's for 
(a) incriminating evidence would be providing a valuable service to our community's.After all Garry Glitter would still be walking around a national icon if the geek at P.C. world had not checked his old hard drive.
(B) some of the infinity of data that is extremely valuable when harvested which is in the legal domain.why should google and face book be the only people to profit from there billion dollar investment in freeing up the data protection legislation.every thing from exposing corporate corruption incompetence and collusion ,to saving a persons family photo's is a legal and worth while investment of time.
Our aim is to extract value from what we process, data is the gold of our digital age and may be priceless.imagine finding a historically important bit of data..
It make's me think of the huge piles of Papyrus left in dumps in Egypt,that was the data files of there time and what wonderful thing to find and translate.
In fact with data storage becoming so cheep it may be worth while to make a copy of all data before processing of a data devises just in case it becomes valuable in the future .


----------



## Shark (Sep 16, 2014)

I have had computers from Loan companies, Doctors office's and several large business' of other varieties. Most often these are gave to me with the instructions that the hard drives are destroyed and all data that I may see is confidential and never made public in any manner. I intend to stick to that as it is a part of the requirement for me to receive them. I never reuse or look at the data on those drives, and they are destroyed. If I get a computer from an individual, or otherwise unspecified system, I may reuse the drive, but I don't I don't recover or use any data found on them.


----------



## jason_recliner (Sep 17, 2014)

As soon as I started gold recovering, I started trying to collect any old computers I could find from which to scavenge. I noticed a lot of them were still capable of working. Rather than scrounge, scrap and dump, it soon became clear that there are less fortunate kids out there who don't have a computer at all, nor care whether they have an 8 core processor running at warp factor 3. So I have a new mission which conflicts with my recovery efforts! I got 7 computers from a large bakery: Two are junked for recovery, the rest are moved on. (I wouldn't even bother requesting old PC donations in a forum like this. :lol

But a lot of collected computers still have data on them despite (feeble) attempts to clean them; photos (frequently of dubious repute), financial info, etc., which can't stay if you're giving it to a 10 year old. One guy gave me a disk that was supposedly "formatted clean". Sorry fella, it takes about 1 minute to undo that. I'll bet the work-experience kid at Ernst and Young thought he nailed it.

Anyway, my point is that there are several useful wiping tools available that wipe the entire disk and fill it with either zeros or random garbage. This NEEDS to be done when changing disk ownership. One of the several I use is Darik's Boot and Nuke. Slower per disk, but it can nuke as many drives simultaneously as you can hook up. It's not hard either; you just have to remember to do it.


----------



## justinhcase (Sep 17, 2014)

Shark said:


> I have had computers from Loan companies, Doctors office's and several large business' of other varieties. Most often these are gave to me with the instructions that the hard drives are destroyed and all data that I may see is confidential and never made public in any manner. I intend to stick to that as it is a part of the requirement for me to receive them. I never reuse or look at the data on those drives, and they are destroyed. If I get a computer from an individual, or otherwise unspecified system, I may reuse the drive, but I don't I don't recover or use any data found on them.


That should be understood with out being said.If you undertake a contract with some one to provide security and data destruction you do so full stop .
having said that if you do some thing well you should not do so for free,a large part of my income is derived form providing large corporations and government departments on site security.
If I am not paid they are not secured by me,but I will help individuals I see in trouble even at personal risk as every citizen should. 
Do you chap's know what a "Womble" is?? when I come to a sticky point of recycling or re-purposing I try to think what would Uncle Bulgaria do.LOL
I am proud to be one of the biggest and ugliest Womble around making use of the thing that I find..https://www.youtube.com/watch?v=XWQMMPFtoG4
The right M.O.D. file retrieved and sold to the Time's would make enough to secure a future for just about any one,defiantly worth looking at is it not.


----------



## Auggie (Sep 18, 2014)

spaceships said:


> That's extortion Justin. Plain and simple. Regardless of whether the data was left on the drives or not.
> 
> It won't end well for the guy.



Disagree.

If he legally acquired the hard drives then he owns them. However, the data belongs to E&Y. But it is their responsibility to destroy it. If he does it, it costs him time and money. That's an expense he ought to be able to recoup from E&Y. If E&Y wants the drives back in order to do the duty it should have done when they still had title to them and they were still in their possession, they should pay his asking price. The article doesn't say what he's demanding from E&Y, only that others are offering up to $1.2m. I'm not sure of the legality of a third party buying the drives for the data, but as long as he words the contract properly, he's selling only the hardware and the duty to protect the data (if indeed any exists) would be transferred to the new owner and he's out of the picture.

If anything, the guy's a good businessman, if maybe encroaching on the sleazy side, and Ernst & Young got caught with its pants down. Shame on them. As fiduciaries they should know way better than to let sensitive client data out of their possession like that. They deserve to be embarrassed like this. This guy is doing their customers a favor.


----------



## MarcoP (Sep 18, 2014)

To me it's just a simple matter of ethic and I'll stick to it. Few years back I client asked me to find out how a virus got into his computer and while looking at his temporary files I came to have in front of my eyes hundreds of credit card numbers with security code, first and last name, date of birth, addresses and much more; I simply 7 passes destroyed the data. I did warmed him and told him all the story and before he changed his computer he came back to me for data destruction. I live far better and far happier on the trust side then anything else. Regarding what the law say our not, I have my own ones of much better standards.


----------



## justinhcase (Sep 18, 2014)

MarcoP said:


> To me it's just a simple matter of ethic and I'll stick to it. Few years back I client asked me to find out how a virus got into his computer and while looking at his temporary files I came to have in front of my eyes hundreds of credit card numbers with security code, first and last name, date of birth, addresses and much more; I simply 7 passes destroyed the data. I did warmed him and told him all the story and before he changed his computer he came back to me for data destruction. I live far better and far happier on the trust side then anything else. Regarding what the law say our not, I have my own ones of much better standards.


You did make sure he had a legitimate reason to have such a large cash of other people's data I hope!
And you made some arrangement to warn the appropriate law enforcement that the security of that data may have been compromised as you say the unit had malicious software installed.
but I can see this discussion is starting to turn down the road of "personal Privacy" and if any of us has a given right to expect it.
That fight is still being fought in the U.S. unfortunately we have lost the battle in the U.K.
We have quite openly been told that we have to expect and tolerate almost complete surveillance. 
The apathetic British public instead of revolting as our colonial cousins would whimpered a little and then carried on .
Just about every bit of data the state and corporations can get there hand's on are already being permanently stored until they can develop the technology to process it.
And that is just the white budget I am cretin that every government and quite a number of privet entity's will have programs for sifting through the waste as well even if it is never admitted to.
Would you pass on all the data you find if someone from your security services asked you to work for them and payed you well under the table?
I personally think the varying factors are to diverse to make a hole sale judgment,Every case has to be looked at on a case by case bases.
And yes if I found any thing that showed activity that repulsed me I would have no qualms on drooping the hammer on that individual or entity.


----------



## MarcoP (Sep 18, 2014)

justinhcase said:


> MarcoP said:
> 
> 
> > To me it's just a simple matter of ethic and I'll stick to it. Few years back I client asked me to find out how a virus got into his computer and while looking at his temporary files I came to have in front of my eyes hundreds of credit card numbers with security code, first and last name, date of birth, addresses and much more; I simply 7 passes destroyed the data. I did warmed him and told him all the story and before he changed his computer he came back to me for data destruction. I live far better and far happier on the trust side then anything else. Regarding what the law say our not, I have my own ones of much better standards.
> ...


Yes, he owns a business and the web software he used to accept CC payments had left all this temporary files. A bug report was raised and later fixed. I ended up finding no real threads and at the end I came to know that he came to me because it came to his attention that some customers started having trouble with their CC accounts. It didn't take long to found out was his old technician stealing them. He immediately warned the law and soon was enforced.


----------



## jason_recliner (Sep 18, 2014)

MarcoP said:


> I simply 7 passes destroyed the data.



One pass is plenty. I've never heard of anyone who can recover real data from a single wipe.
_Theoretically_ an erased tape or disk is still recoverable after a single pass. But it's entirely unpracticable.

Because "Nixon tapes". If, in nearly 40 years of magnetic recovery advances, anything could be recovered, these would have been.


----------



## MarcoP (Sep 18, 2014)

Yes, theoretically you are right, but I'll have to ask a developer I used to work with as he was in data recovery business for years. However I never did less then 3 passes and it is my standard, 7 only when I was told about critical data. Better safe then sorry.

Going back to topic. Definitively a big yes, data destruction is a good source of income and loyal clients, but no pickings whatsoever. There is no price that could pay back a professional work... well there is... and a good one too. So if you are serious about it, go for it. Otherwise save your self some jail time and keep your name intact (your name is the only thing that will come along for the rest of your life, keep it clean) as experts can nail you down any time unless two experts come to work against each other, and under a sadic-professional point of view, that's where the fun begun.


----------



## rickbb (Sep 18, 2014)

The reason DOD went to 7 passes from 3 was some egg head in a lab demonstrated that with an electron scanning microscope he could "read" and recover a few blocks of data from a 3 pass over write. 

He would focus down through the layers of the magnet particles and image the bottom most layer and then send those images to a recorder that would "write" that data out in the same pattern as the image. He found that when you over write not all of the particles would move and reassemble into the new data pattern leaving a "ghost" of the original data.

Of course it took him a few years and he did only get enough data to show that it could be done. But that still scared the military folks enough to up the pass count.

I've found that I only need to the wipe/over write IF I'm going to reuse or re-sell the HDD. If I'm selling it for scrap, I just drill holes in the platters. It's quicker and just as useless to try and recover data from. Unless you have a few years and a SEM.


----------

