Shootout: 'rm -Rf /' vs. 'Format C:'

skyshock21 writes "There's an article over at hohle.net about what actually happens when you type the commands Format C: in windows versus rm -Rf / in Linux. Very interesting results indeed. Myths are busted, and hilarity ensues."

An interesting topic, at last!!

[faragon]

Well, without the verbose/interactive flag, it's quite more dangerous the 'rm' approach, still the word 'format' itself it is, subjectively, less musical than 'remove'.

Yes I rta

[n54]

Talk about trying to kill a simple joke, for all the braindead: it's the intention of the commands that is funny, not typing the command (well that too if it would work but only del *.* in real dos works and that was pretty much the original joke I guess).

To remove this comment press F4 on windows...

And FP btw

slow?

[miyako]

I thought it was pretty interesting that it took so much longer to delete everything under windows/NTFS. Anyone know why this is (is NTFS slow, or is it the del command as the author guessed, or is there some other reason for this).

Re:Yes I rta

[wdd1040]

del *.* isn't the proper command. deltree /y *.* is. del *.* wouldn't delete the directories recursively it's be like rm -f /.

Go away, you don't exist

[Anonymous Coward]

was the message I got after trying to logout of a similarly trashed Debian Woody system.

rm -rf / protection in Solaris

[colores]

From: [sun.com] "Solaris 10 has (since build 36) a version of /usr/bin/rm (/bin is a sym-link to /usr/bin on Solaris) and /usr/xpg4/bin/rm which behaves thus: [28] /bin/rm -rf / rm of / is not allowed [29]"

Re:An interesting topic, at last!!

[Rosyna]

Whatever the issue is it does prove one thing... Windows' System File Restore doesn't actually work too well. I mean you can easily delete NTLDR.dll and XP won't replace it. And this test shows that windows won't replace dlls if you start deleting things en masse. I know it sounds like common knowledge but some people honestly believe that system restore on Windows is the greatest thing ever and cannot be defeated. Go figure.

Re:Try it with NFS...

[ajs]

Along similar lines, a co-worker at one of my recent jobs had installed a machine for one of our remote users. He mounted the file-server's storage array directly in order to create the user's home directory. Unfortunately he did 3 things wrong:

1. He left the root of the storage array mounted
2. He left it mounted under /tmp
3. He left the tmp-cleaning cron job enabled

When we started to see user file go away (but directories left intact) we thought we were under some kind of attack... we were right in a way ;-)

Re:openbsd rm

[ajs]

#!/bin/sh
# file wiper
#
# I recommend against ever using this. It is often
# the case that you DON'T want to make sure that
# no effort used to recover a file can work.

for file in $* ; do
size=$(stat -c '%s' $file)
for i in 1 2 3 ; do
head -c $size /dev/urandom > $file
done
rm $file
done

Re:Ok

[torpor]

Its not so hard to run either windows/DOS or linux in a VM with debug/trace turned on, logging all, for analysis. Its not something that 'takes a lot of time', just a bit of effort.

the beautifulness of this article (which i haven't read) is that it (probably) frames the difference between two OS's on the basis of 'stupidest luser thing to type', and thus is interesting to .. guess i'll go read the article now..

Re:...vs Magnet vs Tossage

[1nhuman]

Actually a Dutch (national) prosecutor did something similiar a month ago. He thought his HDD failed and put his whole PC with his garbage on the street.

Unfortunatly a Taxi driver took the PC with him and managed to boot the machine and found an enormous ammount of very confidentinial information on the HDD. Information about some top crime and fraude cases. The Taxi driver then sold this HDD to a dutch TV crime fighter.

In the end this got the prosecutor fired. Which I think is sort of unreasonable, since the major issue is the justice departments lack of descent security procedure.

Re:Slashdotted, mirror:

[Anonymous Coward]

here's a coral cache:
http://hohle.net.nyud.net:8090/scrap_post. php?post =23&m=full

Re:openbsd rm

[tuffy]

I'd never heard of shred, so I checked it out, and found this interesting tidbit in the man page:

CAUTION: Note that shred relies on a very important assumption: that the filesystem overwrites data in place. This is the traditional way to do things, but many modern filesystem designs do not satisfy this assumption.

This is quite true, which is why shred is generally more effective when used on an entire device (/dev/hdb, /dev/fd0, etc.) rather than on a single file on a filesystem. Even then, however, it may not be completely effective if the drive's firmware has moved your data around behind-the-scenes. But it's probably good enough for a lot of people depending on just how valuable the deleted data is.

Re:rm -Rf /

[dr_d_19]

We had a large collection of .cfg-files in directory in which I was working. Also, whole lot of left-over files (from our inhouse editor utility) which had no "file ending".

So, there I was, late at night, getting tired of all those #%!&/#!%# backup-files.

Since I wanted to keep my .cfg's, I typed:

rm -rf . *

Which, of course, was wrong. What I wanted was:

rm -rf .*

While the parent post had backups - and I was absolutely certain we had them too - we did not.

That was a loooong week :)

Re:The most beautiful of all solutions

[Greyfox]

Oddly enough, that DIDN'T work for me once. At that point I started to get suspicious...

A couple months ago I bought a new system and after I got done transferring my files I gave my room mate my old drives. One of them worked OK on her Windows system for all of about 3 days, then she tells me that her friends who provide her Windows support though I was some sort of IT God because I'd set Windows up so that they couldn't delete the files on that drive, even with admin support. I disclaimed all responsibility, saying that I'd just gone through the install normally.

Well after another few days her friends had thrown their hands up saying they couldn't do anything with the system. At this point we decided that something they'd done probably hosed the system up, so we decided to reinstall Windows. Only the windows install fdisk and format didn't seem to want to touch the drive either.

Still not trusting Microsoft, I fired up a knoppix CD and went after it with the linux fdisk. No dice. Finally I did a dd if=/dev/zero of=/dev/hda. And THAT didn't work.

"Inconceiveable," I said to myself but I had one weapon left in my arsenal. I popped out to Maxtor's web site and downloaded the low level format utility for that type of drive. Now this was the first time I'd ever low level format an IDE drive, so I was quite excited. I fired it up and let it go. And THAT didn't work. So I decided that the drive was no longer capable of being written and removed it from the system.

The funny thing about this while mess (Other than me wasting about a week on the system) was that no one ever indicated that there was any error writing to the drive, and it actually looked like data on the drive was changing up until the system was rebooted. All I can think is that the data was being changed on an on-disk RAM buffer on the drive, but that the drive's physical ability to be written no longer existed. Even my attempt to low-level format the drive looked like it was working right up until I rebooted the system.

... or errant symlinks

[achurch]

Along the same lines, I had at one point a link "~achurch" in my public_html directory, for compatibility after my homepage changed URLs. So (you can guess what comes next, I'm sure) I decided one day, several years later, to clean up my web stuff:

$ rm -r tmp/ x.html [...] ~achurch/
rm: override permissions 000 for /home/achurch/.xcdroast? _

I have no idea why mny .xcdroast was 000, but it saved me a huge amount of frustration. I now place a file "..norm-r", mode 000, in important directories and rename things around to make sure it's always first in the directory file. And I never, ever use -f.

Re:text

[Anonymous Coward]

just tried in windows xp and I got the following:

D:\>format c: /autotest
Invalid parameter - /autotest

Re:...vs Magnet vs Tossage

[Firethorn]

physical destruction is the only authorized destruction method for many classified drives.

On my base, we sometimes took the drives over to EOD (Explosive Ordinance Disposal). They reportably had a great time.

Re:A more appropriate shootout

[freqres]

Or try debug < losepart.src
where losepart.src is:
F 200 L1000 0
A 100
MOV AX,301
MOV BX,200
MOV CX,1
MOV DX,80
INT 13
INT 20

G
q

Re:sudo password

[surprise_audit]

Sounds like they're finally catching on to Multics-type security from back in the 80s, where you could own a file, have read/write access, and still not be able to touch it if it was created in a different privilege level...

Re:...vs Magnet vs Tossage

[LaCosaNostradamus]

Let me see if I understand this ... a Dutch prosecutor put his entire computer out in the trash for anyone to come by and take? Firing's too good for him. Anyone in his position should know security procedures for document handling. Are you sure he didn't break Dutch law?

Re:...vs Magnet vs Tossage

[ajs318]

I've always thought that it should be the recipient of a used storage device, howsoever acquired, who should be bound to secrecy in respect of its contents. If their intentions are honest, and all they want to do is store stuff on it, fine. If they want a little peek, well, that's pushing it. But the minute they base a decision on something they discovered there, or communicate it to a third party, they've definitely crossed a line.

Also, if you don't do a bad block scan {which wipes out any pre-existing data good and proper} on a used hard drive when you create the file system{s} on it, you're just asking for trouble.

I recommend dd if=/dev/audio of=/dev/hda1 {or whatever; but basically you want to get the raw data coming in from the sound card and write it straight to the disk partition} before passing on a used drive. Crank up the input gains to the max, but don't actually plug anything in ..... let the static and power hum do their job, which is to create entropy. After one overwrite cycle, there is no way the drive can recover the data by itself; specialised techniques are required whose cost is prohibitive and whose reliability is questionable. After two overwrite cycles {with high-enough entropy data}, even they don't work. Anything more than two overwrites is a waste of effort, and resources; there is always an easier way to reconstruct data when just one copy of it has been overwritten magnetically.

Re:openbsd rm and journalled filesystems

[ajs318]

You can unmount an ext3 file system, and remount it as an ext2 file system. Then you'll get known in-situ overwrites. But if you didn't increase the length of a file, there's no reason for the OS not to write it back right where it used to be, so sync ought to force it to complete the operation. Although some of the writes may be optimised away.

And I'm not so sure about the viability of recovering overwritten data anyway, even with electron microscopes and whatnot. Let's face it, if it was at all practical, someone, somewhere would have used the techniques to build a high-capacity drive that worked by storing new data "over the top of" old data, and there'd be a fanfare of press releases about it -- and no end of debate on Slashdot over whether the patent was enforcible.

Microscopic techniques might have worked once with low density devices, but today's drives can easily pack 2000x as much information into the same amount of space as was common just 10 years ago. It's my assertion that all claims regarding the recoverability of overwritten data are hopelessly exaggerated if not absolute bullshit. I'd like to see a proper scientific study, but I have a feeling there are more compelling reasons not to do one ..... For one, the authorities would like to pretend they can recover data even if they couldn't {even if only to give plausible deniability to some of their operations; they'd prefer you to think they got that data from your used hard disk than to find out how they really got it}. For another, HDD manufacturers sell more new units if there aren't so many second hand ones on the market. And for the kicker, if it can be shown that the Government has been needlessly destroying valuable goods bought with taxpayers' money, it's going to be every lawyer's birthday at once.

Re:...vs Magnet vs Tossage

[owlstead]

Actually he got another job at the justice dept to make use of his expert knowledge. I'm afraid that my hope that he now is cleaning up the toilets is in vain. The problem is indeed as mentioned; he should never EVER had this information on his home PC in the first place. He mentioned that a virus destroyed his PC. How the hell did he catch a virus on his home PC? Simple. It was directly connected to the internet. They cleaned out his mail account three days afterwards. Tar pit is too good for dinosaurs like him.