I came across this blog post on Amazon EC2 through Digg. Samual Cossette, CTO of Poly9 Group, says:
If you plan to give [EC2] a try (and you definitely should), don't forget to use an encrypted partition or wipe your instances' hard drives, since Amazon won't do it for you. In fact, when you terminate an instance, Amazon simply shuts the machine down. Then, if the same physical machine is allocated to somebody else, a hamster goes to that machine, powers it up, formats the hard drives and reinstalls a brand new operating system. Herein lies the problem – the hard drives are only repartitioned and formated, not initialized. This means that all the data is still physically on the hard drives, even though it is not readily accessible!
Samuel goes on to mention that he was able to retrieve logins/passwords/keys/certificates for previous users' VPNs, domain administration interfaces, etc. His recommendation? Don't store private data in plain text.
While I was reading Samuel's post, Dan from ModernBill sent me a link to this Associated Press article. Trust Digital, a mobile security firm, bought 10 used cell phones on eBay. While previous owners seemed to have erased their personal data, Trust Digital managed to resurrect 27,000 pages worth of info from the devices - including text messages between illicit lovers, confidential emails on pending contracts, bank accounts info, passwords, prescriptions... Expert hacker Peiter Zatko suggests running over your used phone. Or giving it an acid bath.
Maybe M. (who'll remain unnamed, so as not to compromise his privacy), a college friend who recently moved to DC, has the right approach? He's appalled that I don't have a shredder, and he can't believe I get mail at my actual street address (he prefers PO Boxes at large post offices where his comings and goings won't be noticed). Recently he visited the IRS office in person to pay his estimated taxes - in cash! He does have a cell phone (with prepaid minutes; no service plan), but I wouldn't be surprised if there's not a single number on its address book.
I use bestcrypt. It's great for mounting large files (15,20,30 gigabytes) as an virtual filesystem. It's also encrypted. It'll also let you "wipe" files and gives you options for writing over the data. One of them is some DoD method. It's pretty intense.
Posted by: Sports Racer | October 08, 2006 at 12:08 AM
Just wondering if "M" is has all those concerns why is he paying taxes as according to Aaron Russo's new film America freedom to fascism on google:
http://video.google.com/videoplay?docid=-4312730277175242198&q=from+freedom+to+fascism&hl=en
there is no law requiring anyone to pay federal income taxes.
Posted by: Mario Rodriguez | November 01, 2006 at 12:49 PM
I use SecuBox - for encryption my ipaq handheld. The same principle as of bestcrypt - but its for PDAs and seems easier to use.
Posted by: pda encryptor | March 19, 2007 at 07:48 AM