Paul Uszak said:
My scenario calls for a program that will run on varied machines. It will then securely delete a part of itself when the program has been run. I was wondering if this could be achieved solely in Java?
What's to stop them having the JVM pause and dump your code? There's even an open source JVM which can be made to do
anything with your bytecode.
I don't know high profile examples from Java, but for other VM languages, you can look at Dropbox's attempts to obfuscate Python (they used a custom interpreter) and Zend's attempt to build a PHP obfuscator using encrypted bytecode. It doesn't work, because, eventually, you have to run regular bytecode and the intepreter or JVM will give you up when sufficiently prodded.
You're going to need a language that runs on the metal or you going to need to fork the JVM and add obfuscation into it. You can't run regular Java bytecode thats's binary compatible with a standard JVM. You could send the data over the internet to a private server you control. Run your secret algorithm on that, and send the data back.
phinds said:
I'm with you on this one, but there have always been people who are paranoid about security who insist that it is possible. That has never made the slightest bit of sense to me but I've never delved into the technical details so I cannot say w/ 100% assurance that it can't be done. There are numerous app, and pretty much have always been (since the early days of PCs) that "guarantee" what they call "secure" overwriting, which means writing to the same exact magnetic bit over and over and people buy them or they would not still be around.
In the old days they felt you could use electron microscopes and similar tools to read the residual signatures from the disk, and you could, so various governments therefore drew up secure disk wiping schemes like the famous 7-pass that's used by US Government. However, newer drives have a much higher density of data and we currently believe it's not possible to extract data meaningully from a disk that's been zero filled
once. It's known various intelligence agencies were unable to recover data from the wiped portions of Edward Snowden's Macbook. If you need another name to google w.r.t. secure erase, there is some work by Gutman. I believe he was the original author of the '7 pass' paper.
Of course with SSD its more complex as they can reorganise data with their internal controller so you have no guarantee that if you write to the same spot on the disk twice, that you will actually get the same physical cell both times. However, a zero fill of the entire drive does work. To be honest I am not sure how SSD do it, but I know you can't rely on file-level zero-fills on an SSD. It's got to include freespace.
The current recommended way to securely erase data when a PC is destroyed is an industrial shredding machine or thermite. It's just faster than any kind of erase. If you're reselling a machine, boot from a Linux USB stick and run "sfill". You can set the paranoia level in options. Personally I run full disk encrpytion on all my stuff, so even if someone does steal it, they ain't going to get any data off it unless they hit me with a pipe until I give up the decryption keys.