Jun 21

What do you do with your decommissioned hardware?

Unix 3 Comments »

We recently purchased a few drives to fit into one of our servers. I'll not say who supplied the drives, or even what kind of server, suffice to say it's not Sun, and it runs Solaris.

What arrived was a bit disturbing.



The drives were purchased as new parts, and were delivered fully sealed and packaged as a new drive.

We installed the drives, and noticed that the VTOC on one of the drives was a bit different to what we'd normally expect, so we checked with fstyp, and found (to our surprise) a few UFS filesystems.

To our astonishment we then proceeded to mount up a root filesystem from a system that was clearly from another UK company (in particular, a large mobile telephone provider).

The root filesystem in question appeared to have been shut down cleanly, and there was no tell-tale signs to suggest that it was failed drive that had been remanufactured. Presumably it is from a system that has been traded in, or otherwise decommissioned.

Out of interest, we noted that the "root" and "oracle" accounts had encryptions in /etc/shadow, and proceeded to run a password cracker against it.


So - what do YOU do with your decommissioned kit?, and perhaps more pertinently, what does your vendor do with your decommissioned kit?

Posted by Mike Scott

| Top Exits (0)

0 Trackbacks

Trackback specific URI for this entry
  1. No Trackbacks

3 Comments

Display comments as(Linear | Threaded)
  1. Mark Lowes says:
    06/21/2006 07:54:41 AM

    For personal kit disks are either aggressively wiped or subject to the "large hammer" approach to data security depending on what it's been used for.

    Previous workplace generally ran disks until they exploded so it wasn't that much of an issue, I'm still working out what the policy is at the current gig.

  2. Mike says:
    06/21/2006 10:22:50 AM

    I guess it depends on circumstance. For personal kit, yeah - I make absolutely sure that there is no danger of someone easily retrieving data from it.

    In a commercial environment, this is generally harder (not least because of the volume of drives in use). We have a server drive blow on us, an Engineer turns up, swaps it out and leaves site with the drive.

    What happens to the drive once it leaves site is unknown. I suspect that it'll generally be remanufactured, whereupon it should be subjected to a rigorous wiping procedure.

    This particular case is different though. We can tell from the syslog on the /var filesystem that the system was shut down cleanly (on Jan 9th 2006), and there was no disk errors reported.

    We know that it was installed with Veritas, Oracle, Websphere and Abinitio. We also know the hostname, DNS config and network settings.

    In many ways - I suspect this is probably a failing of both the mobile telephone company (not scrubbing their disks), as well as the vendor (repackaging drives without adequate processing of spares).

    As I'm currently involved in a lot of decommissioning work, it's a timely reminder of what not to do...

  3. Corey Donovan says:
    12/19/2006 03:57:45 PM

    As a reseller of second hand Sun systems and kit, I can report that many end-users and leasing companies are selling us systems without the hard drives in an increasing number of cases. Others either decommission and aggressively scrub the data themselves or ask us for a written notification that we will do this for them.

    I am still surprised when we receive equipment from a billion dollar corporation that has not even been formatted. Of course, in all cases we don't pry into their information and always wipe the drives clean before resale.

Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA