I visited a company yesterday.
They have all their employees using laptops that have classified government material on them. It is not SECRET, it is the lowest level, just above public.
They would only get about £150 to sell the laptops so they could be reused by someone outside the company. But they don’t do that, because it takes too long to open up the HP laptops and remove the SSD, so they instead just chuck the whole laptop in a shredder and it goes to land fill.
This process would be much quicker on a FW laptop, so would probably escape the landfill.
Sure, a FW laptop might provide a solution. But I have a feeling they may not opt to do it, even if there was very minimal to no obstacles. It sounds like the true problem is more fundamental.
They, the government agencies handling any level of sensitive information, just don’t care. Hope it’s safe to assume it’s the UK here, given the Pound currency. They should have enough buying power and influence to get a laptop or two with an easily removable SSD. If there were a couple of decent sized countries that care, they could have a whole range of laptop models suited to whatever their common needs are. Really, there must be some current models already.
So it isn’t classified but is CUI or FOUO? Sounds like they should be using full-disk encryption then. Bitlocker or dm-crypt for example. Then it wouldn’t matter so much how the disks were disposed of. It would also prevent potential data-leak issues from stolen or lost devices.
@bobh
They already use full-disk encryption. To protect the laptops if they are stolen.
So, I also don’t understand why they need to remove the SSDs.
One should just need secure erase by wiping the keys, but apparently not.
Encryption schemes can have flaws. It’s fine as a safety net for stolen devices and for in-use data, but not acceptable for disposing of drives in this case.
Depends of course on one’s threat model. As an individual, protecting just sensitive personal data? That can be enough. Provided you’re not a member of the press, high profile in some way or otherwise a valuable target. But for a company dealing with classified government material, or someone who could be a target? Hell, no. Nowhere near good enough for disposing of drives.
Some inkjet printers have telemetry (read: spyware) built in ink cartridges, when recycled, the manufacturer could pay the recycling company to retrieve the spied data. So it’s better to destroy them all rather than recycled. Given the fact that mainstream computers are already backdoored (Intel ME, AMD PSP, TPM2.0), it’s better to shred the mainboard as well just to be safe.