What Are Drive Warranties Really Worth?

[Michael Cecil]

A month or so ago I was given 300 failed laptop drives from a large
manufacturer.

Having fixed most of them, I have to say that a fair proportion
contained what I could only describe as "intensely" personal data.

Given that these drives were all returned to the manufacturer for
warranty replacement, and they ended up in my hands, I can only assume
that other people have managed to get their paws on old drives and that
the less scrupulous will have had at least a slight temptation to do
something with the data.

I heard a story on the podcast Cyberspeak a while back. Some fellow got a
call out of the blue from a person who had his hard drive. You see the
fellow had taken his computer in to Best Buy, IIRC, to have the failed
hard drive replaced. He was worried about his sensitive data falling into
the wrong hands but was assured by the Best Buy "techs" that they would
destroy the old drive.

Talking to the person who now had his old drive, he found out it had been
sold on Ebay instead of being destroyed. The new owner had been able to
do at least some data recovery on the drive and that was how he figured
out the original owner's name and phone number.

 

[Arno Wagner]

A month or so ago I was given 300 failed laptop drives from a large
manufacturer.

Having fixed most of them, I have to say that a fair proportion
contained what I could only describe as "intensely" personal data.

Given that these drives were all returned to the manufacturer for
warranty replacement, and they ended up in my hands, I can only assume
that other people have managed to get their paws on old drives and that
the less scrupulous will have had at least a slight temptation to do
something with the data.

If you have personal data on a drive and you would rather it stayed that
way, don't return your drive - destroy it and purchase a new one.

Or encrypt. For personal data any encryption that takes significant
effort, say > 1 week of work, will be enough for warranty / return
purposes. After all, the repair people will not know whether there is
anythink interessting on the drive and likely will not look if it
takes real effort.

One question: Did ''fixing'' these disks actually involve
hardware repair, or were these basically fine disks that just
needed a re-certification (i.e. could have been erased without
problems...)?

Arno

 

[Arno Wagner]

On Sun, 17 Dec 2006 09:10:25 +0000, Odie Ferrous

I heard a story on the podcast Cyberspeak a while back. Some fellow got a
call out of the blue from a person who had his hard drive. You see the
fellow had taken his computer in to Best Buy, IIRC, to have the failed
hard drive replaced. He was worried about his sensitive data falling into
the wrong hands but was assured by the Best Buy "techs" that they would
destroy the old drive.

Talking to the person who now had his old drive, he found out it had been
sold on Ebay instead of being destroyed. The new owner had been able to
do at least some data recovery on the drive and that was how he figured
out the original owner's name and phone number.

Moral: Don't trust others for security purposes, unless these others
hase something significant to loose. A "we will destroy it"-promise
is basically with nothing.

Arno

 

[Arno Wagner]

Even if you won't exercise the warranty, many people will. That means
companies with longer warranties have a stronger financial incentive to
make long-lasting drives than those that don't. IMHO a long warranty is
the only meaningful vote of confidence manufacturers can place in their
products. MTBF figures are just talk, and talk is cheap.

Not quite. MTBF figures can get get you into hot water if they are
not true because you lied. But this would be difficult to demonstrte.
Basically it would need a whistle-blower.

I agree, that in practice, long warranty periods mean that the
manufacturer will earn less on bad drives. They will also have to
keep inventory or give you better drives on returns.

However I have had one case were this failed: NETGEAR. They still have
not returned any warranty replacement for about 15 failed GA302T that
we sent them about a year ago. (Warranty runns for another year or
so...) Since legal action is not really cost-effective, they will get
away with this, unfortunately. It is also a systematic problem with
NETGEAR. We had to threaten them for about 3 months in order to
replace a 24 port GbE stwicht for the second time (first lasted 2
years, second one lastes 1.5 years). So a 5 year warranty may be
worth not much in specific cases. I would guess that HDD
manufacturers cannot afford not to back it (bad press), but others
apparently can....

Arno

 

[jim evans]

More fool you. Plenty only consider the problem when the drive dies.

What problem? Isn't it "paranoid" to consider this a problem?

-- jim

 

[David Flory]

A month or so ago I was given 300 failed laptop drives from a large
manufacturer.

Having fixed most of them, I have to say that a fair proportion
contained what I could only describe as "intensely" personal data.

Given that these drives were all returned to the manufacturer for
warranty replacement, and they ended up in my hands, I can only assume
that other people have managed to get their paws on old drives and that
the less scrupulous will have had at least a slight temptation to do
something with the data.

If you have personal data on a drive and you would rather it stayed that
way, don't return your drive - destroy it and purchase a new one.

That's a disturbing story!

Could you tell if these were OEM drives from returned laptops, or drives
returned directly to the drive manufacturer?

 

[Rod Speed]

What problem?

Both the risk of someone getting access to your data
and the risk of losing it without proper backups.

Isn't it "paranoid" to consider this a problem?

Depends entirely on your data. If you keep your passwords
etc on the drive, there are obvious ways around that problem,
like changing the passwords before you make the warranty
claim, or choose to keep them on a 'thumb' drive etc.

If you're involved in flagrantly illegal activity, it might well be a
good idea to destroy the drive instead of making a warranty claim.

Or just encrypt the data that matters in a bulletproof way so that its
useless to anyone who might get the drive returned under warranty.

 

[Paul Rubin]

Depends entirely on your data. If you keep your passwords
etc on the drive, there are obvious ways around that problem,
like changing the passwords before you make the warranty
claim, or choose to keep them on a 'thumb' drive etc.

If you're involved in flagrantly illegal activity, it might well be a
good idea to destroy the drive instead of making a warranty claim.

Oh come on, there's a vast middle ground. Drives can be full of
confidential business data and correspondence, for example.

 

[Rod Speed]

Oh come on, there's a vast middle ground.

Corse there is.

Drives can be full of confidential business data and correspondence, for example.

Completely trivial to encrypt that too if you consider the risk of
it getting seen by anyone when you return the drive matters.

Obviously if its business data, you may well consider that
a replacement drive is a cheap way of protecting your data
when drives dont fail very often and its just another cost of
doing business etc and that approach makes more sense than
bothering with encryption and the risk of loss of the key etc.

Its very unlikely indeed that 'confidential business data and correspondence'
can fall into the hands of anyone who can actually use that. But if you are
that paranoid, there are a variety of obvious things to do. Not a shred of
rocket science required whatever.

 

[Paul Rubin]

Completely trivial to encrypt that too if you consider the risk of
it getting seen by anyone when you return the drive matters.

I agree that encryption is a good approach but it's a considerable
hassle and most people don't bother.

Its very unlikely indeed that 'confidential business data and
correspondence' can fall into the hands of anyone who can actually
use that. But if you are that paranoid, there are a variety of
obvious things to do. Not a shred of rocket science required whatever.

I had a near miss with a drive full of such data where I worked,
though it wasn't related to a warranty repair. The drive had been in
one of our managers' machines that had been taken out of service. Our
IT department redeployed the machine for delivery to a customer, after
deleting the files but not bothering to scrub them. This was noticed
only at the last minute.

 

[Rod Speed]

I agree that encryption is a good approach but it's a considerable hassle

Nope, not if you use a couple of the obvious approaches for that.

and most people don't bother.

Because they realise that the risk is so low and the cost
of just buying another drive if the original dies is so low.

I had a near miss with a drive full of such data where I worked,
though it wasn't related to a warranty repair. The drive had been in
one of our managers' machines that had been taken out of service.
Our IT department redeployed the machine for delivery to a customer,
after deleting the files but not bothering to scrub them. This was noticed
only at the last minute.

Different matter entirely to what was being discussed with drive warrantys.

And the IT dept clearly needs a boot up the arse.

 

[Paul Rubin]

Nope, not if you use a couple of the obvious approaches for that.

Come on, it's not that easy, even for someone like me (a software
developer specializing in cryptography). And there's so much snake
oil out there that selecting the right software is very hit-or-miss
for someone who doesn't know what they're doing. Finally, the
performance hit from software encryption is nontrivial, and any
attempt to encrypt just the sensitive data while leaving the
not-so-sensitive data unencrypted invites a lot of errors that let
sensitive data leak into the unencrypted region. So it's best to
encrypt everything if you're going to encrypt anything.

Seagate has announced they're going to put hardware encryption into
some HD's, which is a good idea, but this is a while ago and I still
don't see it available in any actual products.

Different matter entirely to what was being discussed with drive warrantys.
True.

And the IT dept clearly needs a boot up the arse.

Also true.

 

[Rod Speed]

Come on, it's not that easy,

Corse it is with the three obvious approaches, the built in encryption in XP,
the ATA standard approach, and whats available with some thumb devices.

even for someone like me (a software developer specializing in cryptography).

That just because you are choosing not to use what's standard in the OS.

And there's so much snake oil out there that selecting the right software
is very hit-or-miss for someone who doesn't know what they're doing.

Nope, not with those three I listed.

Finally, the performance hit from software encryption is nontrivial,

Irrelevant to any purported hassle involved in encryption.

and any attempt to encrypt just the sensitive data while leaving
the not-so-sensitive data unencrypted invites a lot of errors that
let sensitive data leak into the unencrypted region.

Depends entirely on how you choose to do the encryption.

So it's best to encrypt everything if you're going to encrypt anything.

It aint that black and white.

Seagate has announced they're going to put hardware encryption
into some HD's, which is a good idea, but this is a while ago and
I still don't see it available in any actual products.

The ATA standard approach has been around for a long time now and works fine.

Not that secure, but quite adequate when dealing with theft and warranty
claims when the data is just basic business data thats not much use to anyone.

 

[Odie Ferrous]

That's a disturbing story!

Could you tell if these were OEM drives from returned laptops, or drives
returned directly to the drive manufacturer?

Both. Same story.

Needless to say, my verifiction process (in order to determine
compatibility with component transpants) securely erases all data.

However, I have witnessed attempts to recover data in order to seek
"questionable content" by other companies.

If in any doubt, crush the drive.


Odie

 

[Paul Rubin]

Corse it is with the three obvious approaches, the built in encryption in XP,
the ATA standard approach, and whats available with some thumb devices.

I don't use XP, I'm not sure what you mean by the ATA standard
approach, and the stuff that comes with thumb devices I've seen is
snake-oil and Windows dependent.

That just because you are choosing not to use what's standard in the OS.

Keep in mind that we may not all be using the same OS. Think of a
Tivo owner with personal video (made in their bedroom) on their Tivo's
hard drive. Where do they install the encryption? Some camcorders
now even record directly to an internal hard drive (like an ipod)
instead of to a tape cartridge. That, too, is difficult to arrange
encryption for.

Irrelevant to any purported hassle involved in encryption.

Huh? The performance hit is definitely a hassle. Besides the hassle
of having one's regular applications slowed down, it affects backups.
I spent considerable effort way back when, hacking GNU Tar to have
fast enough encryption to keep my old DDS-2 tape drive streaming on my
486 box from that era. Yes, CPU's are faster now, but tape drives are
much faster too. Doing software encryption fast enough to stream an
LTO drive is a considerable challenge even with today's fast PC's.

Depends entirely on how you choose to do the encryption.

Yes, this is what I mean, it requires choices to me made, choices that
are easy to get wrong.

It aint that black and white.

Well I'd be interested to know what your own setup is.

The ATA standard approach has been around for a long time now and works fine.

Again, I'm not familiar with this, a url would be appreciated.

Not that secure, but quite adequate when dealing with theft and warranty
claims when the data is just basic business data thats not much use to anyone.

If the data is not much use to anyone there would be no point in
encrypting it. If we're discussing encrypting it, it must be worth
protecting.

 

[Rod Speed]

I don't use XP,

Irrelevant to whether there is any real hassle in using that encryption.

I'm not sure what you mean by the ATA standard approach,

Have a look at the standard, listed under security.

and the stuff that comes with thumb devices
I've seen is snake-oil and Windows dependent.

Irrelevant if you are using Win.

Keep in mind that we may not all be using the same OS.

Again, irrelevant if you are using an OS that supports that.

Think of a Tivo owner with personal video (made in their bedroom)
on their Tivo's hard drive. Where do they install the encryption?

Irrelevant to that 'confidential business data
and correspondence' you were talking about.

Some camcorders now even record directly to an internal
hard drive (like an ipod) instead of to a tape cartridge.
That, too, is difficult to arrange encryption for.

Sure, but irrelevant if you just want to encrypt
'confidential business data and correspondence'

Huh? The performance hit is definitely a hassle.

Nope, there is no visible performance hit with XP encryption
with anything even remotely resembling a current system.

Besides the hassle of having one's regular applications slowed down,

Doesnt happen.

it affects backups.

Not necessarily. And thats irrelevant to whether it does protect the
data adequately as far as warranty returns are concerned anyway.

I spent considerable effort way back when, hacking GNU
Tar to have fast enough encryption to keep my old DDS-2
tape drive streaming on my 486 box from that era.

Sure, but that doesnt affect the modern backup approaches.

Yes, CPU's are faster now, but tape drives are much faster too.

Very few personal desktop systems use tape for backup anymore.

Doing software encryption fast enough to stream an LTO
drive is a considerable challenge even with today's fast PC's.

You dont have to encrypt on the fly.

Yes, this is what I mean, it requires choices to
me made, choices that are easy to get wrong.

Nope, not when you choose to encrypt all the data created on that PC.

Well I'd be interested to know what your own setup is.

Its irrelevant, I dont have any data that I care about
anyone getting access to on a hard drive failure.

Again, I'm not familiar with this, a url would be appreciated.

Its the ATA standard, its not available online for free.

If the data is not much use to anyone there would be no point in encrypting it.
If we're discussing encrypting it, it must be worth protecting.

Its not that black and white either. Some are needlessly paranoid about
their 'confidential business data and correspondence' and the ATA security
is quite adequate for protecting that sort of data if they want to do that.

 

[Arno Wagner]

Both. Same story.

Needless to say, my verifiction process (in order to determine
compatibility with component transpants) securely erases all data.

However, I have witnessed attempts to recover data in order to seek
"questionable content" by other companies.

Hmm. Wouldn't that be criminal under European privacy laws if done
without a court order?

If in any doubt, crush the drive.

Agreed.

Arno

 

[Paul Rubin]

Irrelevant to whether there is any real hassle in using that encryption.

Huh? Lots of people don't use XP. And some people who do use XP and
want encrypted filesystems run XP as a guest OS under something like
VMware so they can do the encryption on a host Linux system
specifically because there's apparently stuff wrong with XP's
encryption (I'm not familiar with the specifics).

Irrelevant to that 'confidential business data and correspondence'
you were talking about.

OK, that's fair.

Sure, but irrelevant if you just want to encrypt 'confidential
business data and correspondence'

The business data might be video recordings.

Nope, there is no visible performance hit with XP encryption
with anything even remotely resembling a current system.

I don't believe that, if the encryption is any good.

Not necessarily. And thats irrelevant to whether it does protect the
data adequately as far as warranty returns are concerned anyway.

It's relevant to whether there is hassle.

Sure, but that doesnt affect the modern backup approaches.

You mean backup to HD? Streaming isn't a problem but the slowdown
is still significant in that the backup takes longer.

Very few personal desktop systems use tape for backup anymore.

It's a problem for servers too. And anyway it still matters for
desktops. This is one of the issues in my thoughts when I consider
buying an LTO drive on Ebay for personal backups. Even for backup
to DVD it's significant.

You dont have to encrypt on the fly.

The alternatives add complexity.

Nope, not when you choose to encrypt all the data created on that PC.

Isn't that what I said? Encrypt everything instead of trying to separate
the sensitive from nonsensitive data.

Its the ATA standard, its not available online for free.

Well ok, but there must be a general description around somewhere.

Its not that black and white either. Some are needlessly paranoid about
their 'confidential business data and correspondence' and the ATA security
is quite adequate for protecting that sort of data if they want to do that.

I want to find out more about this ATA security. Is it something
implemented inside the drive? How many drives actually support it?

 

[David Flory]

Agreed.

Arno

I remember reading in the 80's that US Department of Defense procedure
was to actually take the drive apart and sandblast the platters! I
don't know if they still do that.

Of course this was when "crushing the drive" would have been fairly
difficult...some of those 5 1/4" hard drives were basically machined
aluminum bricks!

 

[Rod Speed]

I remember reading in the 80's that US Department of Defense procedure
was to actually take the drive apart and sandblast the platters! I
don't know if they still do that.

Of course this was when "crushing the drive" would have been fairly
difficult...some of those 5 1/4" hard drives were basically machined
aluminum bricks!

No they werent.