I have seen a key issue missing from the discussions of how to ensure
that data on a tape is overwritten or destroyed.

This is really a security issue, so the important question is what is
the potential threat and what are the capabilities of the adversary.
Any security related procedure needs to be based on this "threat
model."

For example, writing an EOF at the beginning of a DLT tape makes it
entirely unreadable on any system I personally have used.  As far as I
know, stock hardware and stock device drivers cannot read such a
tape.

On the other hand, the data still exists on the tape.  I do not know
if civilian data recovery firms can recover the data, but equipment to
do the job does exist.

Now, lets discuss the most potent adversaries.  Many people I know
believe that the NSA can recover the data if it has been overwritten
once with a random bit pattern.  56 bit encryption will not slow them
down much more than rot13 :-).  They will be able to produce both the
overwrite pattern and the layer below.  No one I have spoken to will
speculate how many layers down they can differentiate.  Degaussing is
also suspected to be insufficient.  I believe that all governments
really do shred classified tapes into fine powder for disposal.

It is very difficult to know how the capabilities of other governments
and/or large multi-national corporations compare to the NSA.  I try to
never underestimate an opponent.

It does not make alot of sense to me to talk about procedures for
handling tapes until a reasonable model of the threat has been
established.

On a related issue, some threats should be managed through security,
others through businesss insurance, it is all about risk management
and cost management.

--------------------------------------------------
Jonathan Meyer
(781)398-6594
UNIX Systems Administrator
Paramtric Technology Corporation
--------------------------------------------------