My Pet Rock and the DOD 3 Pass
First let me say after more than 30 years of working for or around the Department of Defense, I can assure you the DOD 3 Pass is not some high tech secret memory wiping device (although that would be a cool tool to use on my wife when I make her mad!). No, I am talking about the infamous ‘DOD 3 Pass’ that I still see companies advertising today when selling their data wiping products and I hear and see every day from companies destroying their data.
I ask those companies that still use these old standard guidelines (yes OLD, the original DOD 3 Pass recommendation was listed in the NISPOM circa 1995… that’s 20 years ago), “Do you have any technology that you still use today from 20 years ago?!” The response is always the same, “It’s what we have always done” or “It’s what is in our rules for data destruction”. I know technology changes almost daily and on the security side we are always playing catchup but 20 years! (read that in your disgusted voice)
I bet right now you are saying to yourself, “Self….John is not talking to the right people, he needs to talk to the security folks or the IT folks or the CIO.” Great observation but typically it is the IT folks or C level executive that I am having this conversation with.
To me, that means it is an education issue, so here is my attempt at educating….
In the old days there were hard drives. These hard drives were not like what you have in your laptop or computer today, not even close. These hard drives were BIG and they had big platters and big read/write heads (big in physical size). When storing data, sometimes those big write heads would act like your children and go ‘off track’ and write outside the lines (I was never patient enough to stay inside the lines either, I mean the quicker I was done the quicker Mr. Carr would let me go out to recess).
Imagine with me that you have the job of erasing in a straight line drawn with a pencil but I drew the line all over the place. If you erased in your straight line you would never be able to erase all of what I drew, there would be some stray pencil marks left. That’s exactly what happened with the hard drives, when you ran the erasure program it wasn’t able to erase the data that was written outside of the lines. The DOD 3 pass was the government’s answer to this; write multiple times and you are sure to erase all the data. Yep it’s that simple!
Fast forward to the late 90’s. Drive densities (the amount of data they can store) started growing exponentially, but the actual physical size of the drives themselves were shrinking (ever hear of the micro-drive? I was so in love with those things and they never really took off. Come to think of it either did my BETA or HD DVDs). In order to make this happen manufacturers started focusing on the heads and the way data was written to the platters. They shrank the heads and tightened up the tolerances so they could write more data in the same amount of space. That meant that writing outside the lines or ‘off track’ was not acceptable anymore and they made it almost impossible to do (I never say anything is totally impossible because we humans are too dang smart…I mean we invented the Pet Rock!). What does all of this mean? Quite simply much like NIST 800-88 states (the new government standard for getting rid of your data) a single pass erasure is more than sufficient for getting rid of your data.
You may ask, “What makes the difference if I do a single or 3 pass if I am getting rid of the data either way?” Good question. The good answer? Time. A 500GB drive can take on average 2 hours to fully erase. Multiply that by 3 and that’s how long it takes to do a DOD 3 pass. We all learned in business 101 that ‘Time is Money’ and this is the perfect example of losing lots of money by wasting lots of time!
One day I came home and my dad told me my Pet Rock had died and he had buried it. Through my tears I heard him say “All things have to die”. It’s time for everyone to admit the DOD 3 Pass myth needs to die. It’s time for companies to quit advertising it as a solution and for companies to stop using it as a standard.