Image of the glider from the Game of Life by John Conway
Skip to content

Digital Graffiti

WARNING: IF YOU FOLLOW THE CODE IN THIS POST, YOU WILL DESTROY THE DATA ON YOUR DISK.

Being a Linux instructor for Guru Labs, I get to travel the United States, and on occasion, other countries. When on the road, usually I'm teaching Red Hat Enterprise Linux, but do sometimes teach Fedora Linux, SUSE Enterprise Linux Server and openSUSE Linux. Soon, I hope, we will be partnering with Canonical (Mark, paying attention? :) ) to teach Ubuntu Server LTS.

However, for the longest time, I wanted to leave my calling card, so-to-speak, showing I had visited that training center. I thought about changing the MAC address on the instructor machine, but that wouldn't work out so well. I thought about organizing the dry erase markers in some fashion, or leaving something on the white board, but that's extremely temporary. I needed something to say "Aaron Toponce was here" without causing any damage to the training center, or any of its equipment, and staying preserved.

I came up with an idea: I'll echo my name to every bit on the hard dive until the hard drive is wiped. This is an effective means of erasing the contents of your hard dive, and completely destroying the data. As we all know, when you install an operating system, the OS does not flip every single bit on the disk. In fact, it only flips the bits it needs to. As such, even after a reinstallation of your operating system, much of the contents of the previous install could still be visible. After echoing my name to ever bit on the disk, unless every bit on the disk is re-flipped, my name will be present as long as the disk remains operational. As such, digital graffiti on the hard drive. Let's see how this works.

If you check out the man page on "yes", you will see that it outputs a string repeatedly until killed. I've really have found no useful means for "yes", until now. Using "yes" can take one argument. That argument could be "Aaron was here". As you know with communication channels, you can redirect the output using the ">" operator. Of course, because we want to save this to disk, we just redirect the output to our disk:

aaron@kratos:~ 10064 % yes "Aaron was here on ${date +%D}. " | sudo dd of=/dev/sda

When yes reaches the end of the disk, it will stop, at which point, the disk has been wiped, and data destroyed. Now, perform a reinstall. After the installation finishes, examine the contents of the disk with "xxd": You'll want to pipe the output to the less pager, as the output of "xxd" will scroll past the screen. What you're looking at when viewing the output of "xxd" is first a counter in the left column, then the contents of those bits in hexadecimal, then finally, the string representation of the hex. Notice in the ASCII column, the data of the first few bytes of the hard drive:

aaron@kratos:~ 1 % sudo xxd /dev/sda | head
Password:
0000000: eb48 906f 6e20 7761 7320 6865 7265 206f  .H.on was here o
0000010: 6e20 3038 2f31 372f 3038 2e20 0a41 6172  n 08/17/08. .Aar
0000020: 6f6e 2077 6173 2068 6572 6520 6f6e 2030  on was here on 0
0000030: 382f 3137 2f30 382e 200a 4161 726f 0302  8/17/08. .Aaro..
0000040: ff00 0020 0100 0000 0002 fa90 90f6 c280  ... ............
0000050: 7502 b280 ea59 7c00 0031 c08e d88e d0bc  u....Y|..1......
0000060: 0020 fba0 407c 3cff 7402 88c2 52be 7f7d  . ..@|<.t...R..}
0000070: e834 01f6 c280 7454 b441 bbaa 55cd 135a  .4....tT.A..U..Z
0000080: 5272 4981 fb55 aa75 43a0 417c 84c0 7505  RrI..U.uC.A|..u.
0000090: 83e1 0174 3766 8b4c 10be 057c c644 ff01  ...t7f.L...|.D..

If I were to continue through the less pager, I would see that there are sections where that string is repeated and repeated throughout the disk over and over again. Of course, it's not interfering with the day-to-day operation of the operating system, as the data segments on the disk are unused and unallocated. Those bits will lose their orientation when new data is saved in those spots.

As an instructor, I probably won't show the students the contents of the instructor machine's hard drive in this manner. Other instructors probably won't either. So, this data remains hidden as an easter egg waiting for somebody to stumble on it. However, I'm keeping a list of all the training centers I've visited and where I've left my calling card. It will be interesting to see if this data does in fact remain in tact when I visit again.

{ 8 } Comments

  1. Henrik Pauli using Konqueror 3.5 on Kubuntu | August 17, 2008 at 12:47 pm | Permalink

    Nice :) Now do it without needing a reinstall :P

  2. Wilmer using Firefox 3.0.1 on GNU/Linux | August 17, 2008 at 2:10 pm | Permalink

    sudo doesn't magically make your shell run as root, so the command isn't going to work, don't worry people. :-)

    You could do something like

    yes foo | sudo dd of=/dev/sda

    instead.

  3. Aaron using Firefox 3.0.1 on GNU/Linux | August 17, 2008 at 3:54 pm | Permalink

    @Henrik- This can easily be done by creating a file with the same content until it fills all remaining hard disk space.

    @Wilmer- Yes, you are correct. Unless the /etc/sudoers file has been setup, 'sudo' doesn't give magic root access. However, I'm an Ubuntu blogger, and on the Ubuntu planet, so I'm making the assumption that most of my readers are also using Ubuntu, which means that sudo will be properly setup. Further, there is also more than one way to skin a cat, as you have shown.

  4. Jordon using Firefox 3.0.1 on GNU/Linux | August 17, 2008 at 6:01 pm | Permalink

    I recently wrote a post on my blog about "undeleting" old data and using GNU shred to overwrite it for good. Your method is much more clever. The next time I need to wipe an old flash drive, I can make it say, "Move along, nothing to see here..."

  5. Alphager using Firefox 3.0.1 on Windows XP | August 18, 2008 at 2:14 am | Permalink

    This does *NOT* securely delete data!
    Even if you overwrite every single sector of the disk, the original content still can be recovered using special equipment.

    WHile this is fun it is NOT an alternative to shred.

    Quote from shred:
    On a busy system with a nearly-full drive, space can get reused in a few seconds. But there is no way to know for sure. If you have sensitive data, you may want to be sure that recovery is not possible by actually overwriting the file with non-sensitive data.

    However, even after doing that, it is possible to take the disk back to a laboratory and use a lot of sensitive (and expensive) equipment to look for the faint “echoes” of the original data underneath the overwritten data. If the data has only been overwritten once, it's not even that hard.

  6. Jordon using Firefox 3.0.1 on GNU/Linux | August 18, 2008 at 7:57 am | Permalink

    That's true, but such techniques are out of the reach of most people.

  7. Wilmer using Firefox 3.0.1 on GNU/Linux | August 18, 2008 at 1:42 pm | Permalink

    @Aaron: I'm actually writing this on an Ubuntu box:

    wilmer@ding:~$ sudo yes "Aaron was here on $(date +%D). " > /dev/mapper/ding-vmware
    bash: /dev/mapper/ding-vmware: Permission denied

    The problem is, sudo is spawned as a subprocess, which will then be root because sudo is setuid-root (and then read /etc/sudoers, see if the caller is allowed to use sudo with the given arguments, etc, and then start yes).

    The redirection to /dev/sda is done by the parent shell already, not by sudo. The shell never becomes root so it will never be able to write to /dev/sda.

  8. Aaron using Firefox 3.0.1 on GNU/Linux 64 bits | August 19, 2008 at 7:40 am | Permalink

    @Wilmer- Ahh, yes. Heh. I know better too. I ran "yes" as root, grabbed a copy of the data after a reinstall, then wrote the post, not actually testing if it worked or not. Thanks for pointing it out. Duly noted and fixed.

{ 1 } Trackback

  1. [...] used to “leave my mark” (much like a dog marks a fire hydrant), however, this is quite slow. There are other [...]

Post a Comment

Your email is never published nor shared.

Switch to our mobile site