Shostack + Friends Blog Archive


This Data Will Self-Destruct in 5 Seconds


CSO Online has a good article on data destruction, Why Information Must Be Destroyed.” It’s mostly about physical documents, not data, but I can still make a few quibbles.

The author, Ben Rothke, gives an example of a financial institution that did not live up to its regulatory requirements for properly disposing documents, and was punished. Well, duh, financials are a regulated industry, and let’s face it, if you don’t live up to your regulatory obligations, you’re asking for trouble. In financials, especially given the economic situation, not living up to regulatory requirements is apt to get one slapped around. The governments are embarrassed at their part in the financial mess, so they’re as likely to overreact as anything.

However, there are other regulated industries that have a requirement to keep data (e.g. pharmaceuticals), and a parallel article could be written: “Why Information Must Not Be Destroyed.” Many IT companies have data retention requirements, as well. There are even kerfuffles about keeping router logs and so on that allegedly would affect anyone with a wireless router, all in the name of stopping kiddie porn.

I’m not going to say anything more about the obvious stupidity of this, as Gentle Readers of this blog can likely come up with as long a list as I can. I’m instead going to tell a pair of stories about destructing physical documents.

I once worked for a computer security startup that had a delightfully playful culture. We had a contract with a company that shredded documents, and they had a number of large shredding bins throughout the building. I don’t know how we got the bright idea, but one day we decided that at our next all-hands meeting, one of the architects — let’s call him Jack — would hide in one of the bins. A shill would call out, “Hey, where’s Jack?” and then Jack would flip open the top of the bin and pop up like a Jack-in-the-box and say, “Here I am!”

This of course, meant that we had to get Jack into the box. The box had a three-digit combination lock, so that meant we just had to brute-force it surreptitiously. We co-consipirators set about to brute force the lock. We started at some convenient spot (666, as I remember) and started counting down. Jack’s whiteboard had a small spot where we put the current position, and anyone with a moment or three to spare tried a few numbers.

After about a week, we had gone through the whole keyspace and — nothing. The lock wasn’t open. That meant that someone hadn’t tugged hard enough on the lock as they went through. Not only had we wasted a week and had to do it again, but we were likely to miss the all-hands meeting and would have to wait for the next one. As we were grumbling about it, one of the administrative assistants came by the shredding bin. We got quiet. She asked why we were over there and that she’d noticed a people congregating around the bin of late.

We had the rule in the company that it was all right to do a hack, you just had to ‘fess up when asked about it. So we told her. She thought it was a hilarious idea, and said, “I think I can help.” She dropped some of her papers into the bin and said, “Oops, I dropped the wrong folder into the bin. I’ll go get Facilities.” We scattered.

The facilities manager came over, and rescued her folder. She ostentatiously tossed the right documents into the bin and thanked the facilities guy. After he left, we all assembled and asked her, “And? And?” She told us that she’d managed to shoulder-surf two digits from him. We cheered, clapped her on the back and then found the last digit. And indeed, you had to give the lock quite a tug to get it to open. This is the first lesson: don’t put graphite in a combo lock; stickiness is a security feature.

Our hack went off without a hitch. The all-hands meeting came, we asked, “Where’s Jack?” and out Jack popped from the box to stunned looks from everyone not in on the joke. Our CEO gave one of the long-suffering sighs he gave whenever we hacked something. (However, he was game on things — we taught him to pick locks. He knew it was his job to give long-suffering sighs whenever he wasn’t included in the hack.)

A few years later in a different company, one day our office manager uttered an uncharacteristically emphatic stream of epithets. I asked what the problem was and she’d dropped the wrong folder into the shredding bin. She didn’t have good contact information for the company that handles the bin, and it was the previous office manager who had set up the service, too. She started wending her way through the twisty maze of non-English-speaking people at the shredding company.

I wandered over to the bin. It was from the same company as before. You don’t suppose, do you? I mean you don’t suppose they’d have the same combination? I tried it. Nothing. I stared at it for a moment, and the pushed the middle wheel up one. The lock snapped open in my hand. Clearly, the sticky lock wasn’t an intentional security feature before. I managed to fish out the misplaced folder without falling in and brought it over to her.

She disengaged from the shredding company, who had not figured out which account it was yet, and asked, “How did you do that?” and then added sotto voce, “Or do I not want to know?” I told her the story of Jack in the Bin, as well as the combination that worked, and told her to write it down in her notebook of fun facts. I also opined that the other bins in the building probably differed by only the middle digit. Why? Human factors. The guys who come in to empty the bins can’t memorize lots of combinations, so probably only remember the two-digit outer number and brute-force the middle digit. (And, Gentle Reader, the outer pair was the same digit, too.)

A couple days later, she told me that she’d checked the other bins, and yes, they only differed by the middle digit and there were only two distinct codes in the building. I’m not this says anything about data destruction companies. Remember, they have to have a manageable business, and most locks merely keep honest people honest. The system that company was (is?) using is almost certainly better than the alternative — an easily pickable key lock.

Photo by Lady, That’s My Skull.

2 comments on "This Data Will Self-Destruct in 5 Seconds"

Comments are closed.