Such an insightful video! Thank you so much for the research you do and for the time you take for the illustrations! It really helps me to get a grasp of the subject! :)
It saddens me that you don't understand, or at least are not articulating, secure erase "in the olden days". The reason for multiple passes came down to the accuracy and strength of the bit placement on the magnetic surface of the disk. The original bit could hypothetically could be determined through the use of a magnetic force microscope. Think of it like graph paper, where each square on the graph is a bit, also assume the erased area is "perfect" for this example. When you fill in or erase a square on the graph paper, you might over or under fill/erase the square leaving behind remnants (again assume the area that was filled in, or erased, was "perfect", but not the start and end positions). Multiple passes would attempt to "assure" that no remnants are left behind, because each pass the start position might be slightly different resulting in different areas of coverage. Since reality is never perfect, there is also the factor of the strength, which I left out in my example. As disk drive write performance improved over the years, 1 pass is usually enough, 3 passes if you think you need it. 7 passes typically have been associated with government standards for handling secure data erasure. Of course the only true method for securely destroying the information is physically destroying the drive. Because of wear leveling in SSD designs, data "evaporation" is a thing. Depending on the size of the SSD, a deleted file will eventually be overwritten anywhere from 10 minutes to a few hours. "Evaporation" has been mentioned and demonstrated at multiple defcon conferences over the years, which can be viewed on TH-cam. As disk encryption by default becomes the norm, the fastest way to delete data on the encrypted drive is just to delete it's header with the keys, as you mentioned in this video.
awesome video. when are you doing an updated firefox settings video since we are in the 100's now? What do you think about Orion Browser? Is this the same for the iphone too with erase all content and settings?
I don't know how easy it is be or if it fits onto your channel, but it would be really cool to have a video about the Secure Enclave which goes into technical depth but doesn't require one to study electrical engineering I know how a TPM works and it would be nice to see where the Secure Enclave differs and who produces the chips
I've saw some details in the past. You can search for "macOS secure boot" and those talks usually mention the secure enclave a lot. There are talks from actual apple employees explaining the cat and mouse game to secure boot in a way that the OS cannot be tampered with, not even by devices with the more privileged of plug and play classes. The same engineers have talks on secure enclave, IIRC
Firefox episode is still valid but there are easier ways to configure things now using user.js. See github.com/arkenfox/user.js/ which inspired config I use now.
Hi Sun. One question I have is does the drive always have a single key (k) or can that key change (not just k*) AND if (k) can't change is it always the key provided by Apple?
My understanding is that “k” is set when encrypted APFS volume is created… and one cannot change key (which is essentially a 256-bit AES key wrapped by “k*”).
@@sunknudsen AFAIK "k" is a random generated value at first. Then "k" is stored encrypted by the hardware UUID. When you change your password and enable filevault it reads "k", and stores it encrypted by more keys (the old copy is destroyed, k is the same but it is now encrypted differently). Lastly, when you secure erase is when "k" is randomly generated again and no copies of the old one are left. In that sense you can change "k". I mean, Sun knows more than I do, but reading the reply I thought a more step by step explanation could help. In addition, I would expect "k" is never on RAM. It is probably only held in the secure enclave memory and on the dedicated encryption/decryption silicon on apples processors. On intel macs it used to be on the T1 or T2 chips. I didn't read all the documentation, I am quoting from podcasts and tech talks I watched, so take it with a grain of salt.
Perhaps Intel Macs with T2 chips have effaceable storage… see support.apple.com/en-ca/guide/security/sece8608431d/web. That is what one needs to crypto-shred encrypted drive… File Vault on its own does not solve that problem.
Erasing data securely on different operating systems is an important and interesting topic and one i feel like isnt talked about enough. I was reading the Hitchhikers Guide to Anonymity and they went over the limitations on MacOS in great detail. I would recommend folks take a look. Also, semi-related. I have two apple devices that are M1 and now M2. I recently found out tails doesnt run on Silicon Macs and am looking for an alternative if anyone has one.
Sun, I have feedback on how you handle your generally useful content to your new business. My suggestion is to do as many content creators do: Use 5 seconds at the start to say the video is sponsored by your business, make the content 100% unrelated to your business and in the end, you explain why this content is also useful to your costumers. It would look a lot better, as the channel keeps true to its values and people not interested in being your customer have the choice to stop watching at the very end without missing useful content. Also youtube algorithm knows ads are in the end and count a "view" when people stop to skip the "ad".
@@sunknudsen Love your content. I think the current implementation of the your business mentions is too seamless, it catches the viewer off guard and is confusing. I'd play with a clearer partition between the two using a transitional statement and a title frame. Ex. "Now I'd like to tell you how SuperBacked can help make your iPad even more secure, etc...
Hm... Maybe, just maybe, you actually need to stop guessing and actually learn UNIX and filesystems. From someone who been building macs and spent 20 years building enterprise storage servers
I'm glad you're back Sun!
Pumped to be back!
Such an insightful video! Thank you so much for the research you do and for the time you take for the illustrations! It really helps me to get a grasp of the subject! :)
Pleasure! Glad content is helpful.
It saddens me that you don't understand, or at least are not articulating, secure erase "in the olden days". The reason for multiple passes came down to the accuracy and strength of the bit placement on the magnetic surface of the disk. The original bit could hypothetically could be determined through the use of a magnetic force microscope.
Think of it like graph paper, where each square on the graph is a bit, also assume the erased area is "perfect" for this example. When you fill in or erase a square on the graph paper, you might over or under fill/erase the square leaving behind remnants (again assume the area that was filled in, or erased, was "perfect", but not the start and end positions). Multiple passes would attempt to "assure" that no remnants are left behind, because each pass the start position might be slightly different resulting in different areas of coverage. Since reality is never perfect, there is also the factor of the strength, which I left out in my example.
As disk drive write performance improved over the years, 1 pass is usually enough, 3 passes if you think you need it. 7 passes typically have been associated with government standards for handling secure data erasure. Of course the only true method for securely destroying the information is physically destroying the drive.
Because of wear leveling in SSD designs, data "evaporation" is a thing. Depending on the size of the SSD, a deleted file will eventually be overwritten anywhere from 10 minutes to a few hours. "Evaporation" has been mentioned and demonstrated at multiple defcon conferences over the years, which can be viewed on TH-cam. As disk encryption by default becomes the norm, the fastest way to delete data on the encrypted drive is just to delete it's header with the keys, as you mentioned in this video.
Welcome back mate
awesome video. when are you doing an updated firefox settings video since we are in the 100's now? What do you think about Orion Browser? Is this the same for the iphone too with erase all content and settings?
Hi Sun! Great content as always, any news about Brave Browser?
Hey Alessandro, have an episode on the backlog about browser fingerprinting that involves Brave. That said, still use Firefox.
@@sunknudsen Thanks so much for your answer, have a nice one!
I don't know how easy it is be or if it fits onto your channel, but it would be really cool to have a video about the Secure Enclave which goes into technical depth but doesn't require one to study electrical engineering
I know how a TPM works and it would be nice to see where the Secure Enclave differs and who produces the chips
I've saw some details in the past. You can search for "macOS secure boot" and those talks usually mention the secure enclave a lot. There are talks from actual apple employees explaining the cat and mouse game to secure boot in a way that the OS cannot be tampered with, not even by devices with the more privileged of plug and play classes. The same engineers have talks on secure enclave, IIRC
It would be nice to have an updated video on What The Best Browser
I agree! Still use Firefox btw, but use a programmatic way of configuring it for privacy and security.
@@sunknudsen The video you have available about Firefox is still valid or it needs a few minor changes??
@@baylander1945 good question! Waiting for the answer
Firefox episode is still valid but there are easier ways to configure things now using user.js. See github.com/arkenfox/user.js/ which inspired config I use now.
@@sunknudsen I would to see a review of Brave Browser, but only after you spend sometime using it
that's exactly how I thought it would work, but I didn't know that for a fact, also an appimage release is really useful.
Hi Sun. One question I have is does the drive always have a single key (k) or can that key change (not just k*) AND if (k) can't change is it always the key provided by Apple?
My understanding is that “k” is set when encrypted APFS volume is created… and one cannot change key (which is essentially a 256-bit AES key wrapped by “k*”).
@@sunknudsen AFAIK "k" is a random generated value at first. Then "k" is stored encrypted by the hardware UUID. When you change your password and enable filevault it reads "k", and stores it encrypted by more keys (the old copy is destroyed, k is the same but it is now encrypted differently). Lastly, when you secure erase is when "k" is randomly generated again and no copies of the old one are left. In that sense you can change "k". I mean, Sun knows more than I do, but reading the reply I thought a more step by step explanation could help. In addition, I would expect "k" is never on RAM. It is probably only held in the secure enclave memory and on the dedicated encryption/decryption silicon on apples processors. On intel macs it used to be on the T1 or T2 chips. I didn't read all the documentation, I am quoting from podcasts and tech talks I watched, so take it with a grain of salt.
@@sunknudsen Thanks Sun. I really appreciate that you take the time to engage with us when we have extra questions. Keep up the great work.
Thanks for sharing the supporting link!! This just saved me time at work for an audit lol
So Intel Macs do not work this way even though they have File Vault?
Perhaps Intel Macs with T2 chips have effaceable storage… see support.apple.com/en-ca/guide/security/sece8608431d/web. That is what one needs to crypto-shred encrypted drive… File Vault on its own does not solve that problem.
Erasing data securely on different operating systems is an important and interesting topic and one i feel like isnt talked about enough.
I was reading the Hitchhikers Guide to Anonymity and they went over the limitations on MacOS in great detail. I would recommend folks take a look.
Also, semi-related. I have two apple devices that are M1 and now M2. I recently found out tails doesnt run on Silicon Macs and am looking for an alternative if anyone has one.
Does that mean an SSD is not suitable for use with Time Machine? Would an HDD be a better option because SSDs have a limited rewrite memory lifespan?
Oh no your glasses :( BTW, love the thumbnail!
Very Exciting!!!!! Thank You!!!
You are an inspiration
What if hard drive was encrypted by filevalut?
Sun, I have feedback on how you handle your generally useful content to your new business. My suggestion is to do as many content creators do: Use 5 seconds at the start to say the video is sponsored by your business, make the content 100% unrelated to your business and in the end, you explain why this content is also useful to your costumers. It would look a lot better, as the channel keeps true to its values and people not interested in being your customer have the choice to stop watching at the very end without missing useful content. Also youtube algorithm knows ads are in the end and count a "view" when people stop to skip the "ad".
Hey Irae, thanks for the feedback. Curious, are others unhappy with how these new episodes are structured?
@@sunknudsen Love your content. I think the current implementation of the your business mentions is too seamless, it catches the viewer off guard and is confusing. I'd play with a clearer partition between the two using a transitional statement and a title frame. Ex. "Now I'd like to tell you how SuperBacked can help make your iPad even more secure, etc...
Instead of buying mac we can use on tails. My question is can we just spin up vm, do stuff ans destroy that vm?
Hm... Maybe, just maybe, you actually need to stop guessing and actually learn UNIX and filesystems. From someone who been building macs and spent 20 years building enterprise storage servers
Can you please expand on your feedback?
????????? What
ᑭяỖmo𝓼𝐦 😇