7 Replies Latest reply: May 4, 2012 4:00 AM by cyderspace
cyderspace Level 1 Level 1 (0 points)

I want to start afresh on my HD, i.e. reinstall from original disks and use Disk Utility to secure erase (via Erase & Install).

I've read articles about pros and cons + how to do it.  So I think I know how to do everything.  However, from my reading I gather that Zero Erase is a single pass random erase whereas 7 Pass is secure erase (and there is a 3 Pass secure erase option nowadays)?

That got me wondering - does 7 Pass secure erase make 7 x single passes over the entire disk?  If it does, then when the blue bar has extended a bit over a third of the way across the progress monitor (that little bar that indicates time left) it should have made 3 passes, which would be equivalent to 3 pass secure erase?

Is that an option?

Is it possible to stop part way through an erase (which is part of E & I)?


My original disks 1 and 2 have OS X 10.4, with OS X 10.5 included as complimentary 3rd disk (because OS X 10.5 was just released at that time).


I gather I need to erase with disk 1, then install disks 1 + 2, then install OS X 10.5.

MacBookPro3,1, Mac OS X (10.5.8), 15"/ 2.2 GHz Core 2 Duo/ 2GB/ 120GB
  • Texas Mac Man Level 8 Level 8 (46,550 points)

    The only reason to do a multipass erase is if you were selling/donating the Mac and you wanted to be 100% sure no one could ever access your data. Just do the regular erase and install the OS as you described.


    After you install the base 10.4.x, update to the final Tiger version 10.4.11. Here's the link for the 10.4.11 combo update http://support.apple.com/kb/TA24901?viewlocale=en_US


    After you install the base 10.5, download & install the 10.5.8 combo update at http://support.apple.com/downloads/Mac_OS_X_10_5_8_Combo_Update


     Cheers, Tom

  • Thomas Brierley Level 3 Level 3 (535 points)

    Texas Mac Man is correct, there is no reason to do any zeroing, or multipas random writes. Unless you are selling on your mac and want to make sure data is unrecoverable.


    On very old HDDs there used to be a technical advantage in doing this, because older HDDs (i'm talking 486, 20MiB capacity old) were much less reliable, they were not as megnetically stable, and bad sectors were common without any physical platter dammage. Zeroing when formating the drive gave a better baseline magnetic polarity to start with, (the magnetic polarity of a bit on a platter is not completely hard, it has an analoge nature in that it has degrees of polarity) provided this is well ether side of the threashold that determins if it is a 0 or 1 there are no problems. I guess old platter material had a higher magnetic permiability and thus lower retention of polarity making it creep closer to that threashold.


    This is why if you truly want to destroy data on your hard drive you have to do even more than one pass of zeros, because beyond a simple block read, you can actually ask the disc controller on modern drives for more detailed information on the specific degree of polarity of a bit... if you imagine zeroing a section of disc that contained a perfectly intact file, then you can read back the degrees of those zeros and simply scale them up (i.e move the threshold), also if the file was overwritten with some other data then you could subtract those values from the variations in polarity to recover the original data underneath.


    All of this is really extreme of course... for the average person, zeroing is going to be enough to disuiade them from trying anything further than a data recovery app, because it's increadably time consuming and requires more specialist software.


    anyway, the point is on a modern HDD zeroing makes no difference for performance or reliability. what makes way more of a difference for reliability on HDDs is operating temperature and shock... shock can mess with the actuator and at worst crash into the platters, and high operating temperatures make the bearing wear out faster.


    If you are really worried about sensetive data, i.e. it's work related etc, then simply never pass on the physical HDDs, keep them or destroy them in a cheap microwave over. or alternatively use SSDs which for the most part are practically impossible to retrive contiguous (meaningfull) data from.

  • cyderspace Level 1 Level 1 (0 points)

    Thanks for your answers Texas Mac Man and Thomas.


    Texas Mac Man - I followed your suggestion and installed 10.4.11 update, but I wonder whether I should have.


    Disc 1 contained Tiger version 10.4.10 and the Drop-in upgrade DVD had Leopard  version 10.5.

    I checked the dates when updates were released (on Downloads page):

    Tiger v10.4.10 = 2 July 2007 and Tiger v10.4.11 = 14 Nov 2007

    I can't find release date for Leopard 10.5, but v10.5.1 was released 15 Nov 2007.  Wouldn't 10.5 be ready for installation on 10.4.10?

    (I bought the computer in Australia mid Dec 2007.)


    I ask, because I did an E&I about 18 months ago (I didn't know about using Disk Utility for secure erase at that time); I loaded the three discs (Disc 1 + 2 + Leopard upgrade), one after the other and then started installing updates as they were listed in Software Update.  Everything went smoothly 18 months ago.  This E&I was a nightmare.


    I did 41 individual installations (from dmg's).

    Software Update lists were sometimes unhelpful because some of the descriptions were abbreviated, so it was difficult to find some dmg's.  A search on Downloads page was accurate if exact name was typed in, but use of the abbreviated name, listed in SU, made some searches time consuming.

    (I always install updates from downloads, not from SU, so I had many of the dmg's, because I kept them from original download; but I relied on SU to indicate the order to install dmg's.)

    Of the 41 installations,  8 were for Microsoft Office 2008, but they were straightforward.  Microsoft provides filenames of downloads on its webpage, and there is a link to the download page in AutoUpdate, which is helpful.


    When I exhausted SU's lists (i.e. SU advised there were no more udates) I had obsolete versions of Quicktime (7.2), iPhoto (7.1), iMovie (7.1), iDVD, Digital Camera Raw Compatibility on the computer.  I realised they were obsolete because there were unused, but more recent, dmg's in my dmg's folder (iPhoto, 7.1.4 & 7.1.5; iMovie 7.1.4; iDVD 7.0.4; Digital Camera Raw Compatibility Update 2.7; Quicktime 7.6.9 & 7.7).  I installed Quicktime 7.7 and ran SU again.  Over a couple of runs It then listed the unused dmg's that I listed above, which I installed.

    The only dmg that is not installed this time, but was installed last time, is 'Macbook Pro SMC Firmware Update 1.3' (http://support.apple.com/kb/DL832), which adjusts the fan behavior when running under high workload conditions.  I attempted to install the dmg but got message that the computer does not need the update.  I ran SU after installing discs 1 & 2 and there was 'MacBook Pro Software Update 1.2'  listed (http://support.apple.com/kb/DL180), so I installed that before installing Leopard from DVD.  That update improves graphic stability, but it wasn't listed for installation last E&I.

    On reflection, I gather the firmware upgrade is permanent, and unaffected by E&I.


    The reason I wanted to secure erase is because I'm fairly sure there was Flashback malware on my computer.  I ran the manual commands that F-Secure provides, for the various variants, through Terminal and that indicated the computer did not have the malware.  However, on this page (https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml) F-Secure describes a method the malware uses to infect a computer.  On the webpage there is a screenshot of a prompt the malware uses to obtain the administrator password.  I got that prompt when I ran SU around middle of last week.  I also got a prompt on FB in early April that wanted to install new Flash Player (Flash Player was up to date).   I didn't enter password into either prompt.  After the FB prompt Safari crashed a few times when loading pdf's from html pages.  I checked the Crash Reports.  There weren't any ‘Plug In: ??? ???’ entries, which I notice in some Crash Reports I have seen online.

    I have Little Snitch and Microsoft Office 2008 installed, so it seemed to me that whatever variant was on my computer has not yet been detected by AV companies, and it was determined to infect my computer.


    When I ran SU (and got the prompt mentioned above) I hadn't been online that day.  Power to the computer and router was turned off at the wall overnight.  I turned power on, started computer, logged into User A/c (which is the account I use when on the web), didn't open Safari or any other apps, clicked on SU, told Little Snitch to allow connection, SU ran through to completion (latest version of iTunes was only update listed), but when SU's window 'New software is available for your computer' came up, the malware window (pictured on F-Secure's page) appeared on top of SU's window.  How did the malware achieve that if it was not already lurking in the computer?


    That's why I wanted to secure erase.

    I used zero erase and ran it through twice for good measure.  It might be unnecessary, but I feel better for having thoroughly erased the drive.  I don't know how I got that fake Software Update prompt if it was not from Flashback malware.  I think the malware is extremely concerning in its deviousness.  And I am not the least bit happy with Apple's unwillingness to even warn its customers of the threat, and advise of a simple method to protect against the malware - disable Java.

    Apple manages to send me emails promoting its new products, but shows disdain for my safety online.

    Not happy Apple.

  • Thomas Brierley Level 3 Level 3 (535 points)

    Hi cyderspace


    I understand your concern with flashback... it is very possible they simply changed the trojan path to avoid being detected... or even randomised it (that's what i'd do if i was planting trojans)... so if you have reasonable suspicion that you might have it then an erase and install is a good idea...


    I can understand the urge to zero in the case of malware... but honestly it will make no difference, the file system isn't going to accidentally revive some unallocated drive space as a file, that just doesn't happen. You would have to make the effort of doing data recovery, and as it's a trojan (not a virus) you would also have to find the trojan file and install it on your system... so you can see how unnecessary it is, but i get how you want to eradicate any trace of it. zero is enough for that, but it can take a long time depending on the size of your HDD... basically the length of time it takes to write a contiguous file of your HDDs capacity.


    One note on that trojan... there were supposedly some infection vectors through java with little user intervention, but for the most part i believe this trojan was deployed like most other mac malware, by simply fooling the user to install something (i.e. a flash player).


    To avoid this kind of malware you can follow some pretty simple rules... never follow links that you were prompted to follow from unofficial sources (i.e. "Your flash player is out of date, click here to upgrade")... that's fine it's out of date so google and go to the official adobe site and download it. Same with any other plugin you care to give root access. Navigate to the official source manually, because you are handing over various levels of access to your computer to these plugins, they need to be trustworthy.


    On the flash side... you should never have to update it manually... safari's is kept up to date with apple software update (albeit slowly sometimes admittedly), alternatively use chrome, which is better in many respects in my opinion anyway, and it will silently autoupdate (it also uses a separate flash plugin from the systems for security so it can sandbox it.


    Ok enough of malware crap...



    About your updating etc... i'm not sure why your downloading stuff manually, but i can only assume it's because your mac doesn't have an internet connection?


    It really is worth trying to find one at least temporarily to do your updates through apple software update, that way you don't have to worry about locating the correct ones... firmware for instance very machine specific. Also you are correct, firmware updates are separate from the OS, erase and installs only affect block devices. Firmware is located on-chip, (this contradicts the smart phone world where many people confusingly refer to the block device as the firmware, but evolving from the embedded world it sort of transmutated into that word which more correctly applies to ROMs not NAND and HDDs)


    As for your update procedure, it seems very convoluted, usually when doing a major update (10.4 > 10.5) it's not necessary to upgrade the old system, because it's being almost completely overwritten with a whole different version.


    Also you might find that you don't need to install 10.4 at all... which is much better if possible, major OS upgrades aren't ever that smooth, this is even so in the linux world. The point of a major OS revision is that it breaks away from certain things in the previous revision, so you are trying to merge an OS with components that are inherently incompatible with the current one... of course it's designed to work, but you can see why sometimes it doesn't and often it's not as good as a clean install of the major revision you are after.


    I know the 10.5 disc was given as an upgrade, but try to install from it straight away (i.e. don't bother with 10.4 at all), you might find you don't need it (the full OS is on the disc, it's just a matter of whether or not it will let you install it).


    If not then install 10.4 but don't bother upgrading it... this step should be unnecessary, all of the upgradable parts of the old OS will be replaced by 10.5 anyway. get 10.4 on there purely for the purpose of allowing the 10.5 install disc to work, then work on upgrading that (preferably via software update and just let it do it's thing.)




    On the zeroing things front... you can safely try it and then just skip it if it's taking too long, it doesn't affect the formatting process which is done afterwards.

  • cyderspace Level 1 Level 1 (0 points)

    Thanks for that info Thomas.


    The malware:

    If there was something on my computer it got there by drive-by method.  I am super, super cautious.  I never respond to popup prompts.  If there isn't facility to click to get rid of the popup I leave the page, and I never, ever put password in.  I'm unsure how long the malware might have been on my computer.  The E&I has transformed my computer.  There is so much difference it's a bit weird.  Safari's predictive text is back, a grey bar along the bottom of Safari screen isn't there anymore (previously Safari pages didn't seem to fully load; there was a grey bar along the bottom of the page which described number of items loading, but there always seemed to be some items not loaded).  Everything is much faster - loading files at startup, loading applications, opening web pages and files.


    My first encounter with a suspicious popup was on friend's Facebook page in early April.  That was the fake Flash Player prompt.  My ISP usage stats for the next day indicate excessively large download (it far exceeds any previous single-day stat in last 4 years).  I didn't do anything out of the ordinary online that day, so I suspect something not right there.  During the next week Safari (which had been very stable) started to crash.  Hmmm.   Then the Software Update prompt - that was too devious for my comfort.


    The problem is, Safari had been slow for a lot longer than just back to early April.  The slow loading of files at startup + opening of apps predated April too, but perhaps only back as far as late last year.  I think Safari might have lost the predictive text about the same time as the apps etc slowed, but Safari itself was slow  - - - well, it seemed like forever (I put it down to Apple wanting people to upgrade to SL, so they made Safari craaaaawwwlll.)  Well it doesn't crawl now.


    In a recent blog Intego suggests poorly maintained self-hosted Wordpress blogs spread a lot of infected files (for readers who might not know the difference - some blogs run on downloaded Wordpress.org software which the blog owner needs to maintain, whereas the software that runs Wordpress.com blogs is maintained by Wordpress).  I frequent a number of Wordpress self-hosted blogs, especially since late last year, but I haven't encountered any popup prompts like the Flash Player one at FB.  So if I picked up anything from those sites it was a very stealthy drive-by attack.


    After E&I I installed Intego VirusBarrier X6 for 30-day trial, and I'll probably keep it there permanently (i.e. purchase at end of 30 days).  I know there are a couple of popular free AVs that a lot of people use, but on performance (i.e. finding malware asap) VB X6 seems to be the king of AV's for Mac.  I ran full scan, to be sure all the files I brought back onto the system are clean, and nothing was detected.


    The reinstall:

    I install by dmg because I understand it to be a better way to install software updates.  The gory details are lost to me now, but I remember I had trouble with an SU update a number of years ago and after a lot of reading, concluded the gold standard for updates is to have all ports empty, no applications open, and install from dmg (for Microsoft Office updates login with shift key down and restart after install).  I plan to stick with the method because it has worked well for me.   I work on the theory that if I put in the time to build a good foundation I'll be rewarded with a stable system.  Reinstall was more complicated than it needed to be because SU doesn't clearly identify what needs to be installed.


    Leopard DVD:

    The Leopard DVD is upgrade only.  I tried installing it first but got message that it could not install because OS X 10.4 was not on the drive.  The Leopard DVD provided the first of a number of frustrations during reinstall (although this was a bit of a heart-stopper; I thought I'd totally stuffed up).  I used Leopard DVD to boot system and access DU for secure erase.  At the end of that process the next step is to install . . . oops (it won't install).  I ended up in a no-win loop of asking to quit, but needing to nominate DVD to be used for restart; couldn't eject disc . . . around the loop I go again . . .  Somehow I eventually got out of the pickle.


    Zero erase:

    It took around 40 mins for each erase (I had other things to do, so time wasn't a problem).  I'm still interested to know the answer to my original question though.  Does 7-pass write zeros across the drive seven consecutive times?  I guess it must.



    I've contemplated switching to another browser (I'm reluctant to use Chrome only because Google owns it, and I have no desire for Google to know more than it already does about me).  Camino appealed but its future seems uncertain.  Firefox is often recommended especially for the NoScript and AdBlocker features.  VirusBarrier has Adblock feature, so I may not need that on a browser.  For the time being I'll try running Safari with Java and JavaScript disabled.  I've also deselected all versions of Java in Java Preferences in Application/Utilities and disabled Flash Player by moving three files in Library/Internet Plug-ins to a folder I named 'Internet Plug-ins (Disabled)'.  When I want to use Flash Player I move the files back into their correct folder.

    I know that JavaScript is not the same as Java but I gather Firefox's NoScript disables JavaScript.  I haven't done a great deal of web surfing since making these changes but it's amazing how many pages work perfectly well with all these things disabled.  Earlier today I checked four different bank web pages for current term deposit interest rates.  Two needed JavaScript and two didn't.  I left the Safari Preferences pane open and clicked JS on and off as I needed it.

    There is a noticeable reduction in activity on Little Snitch.


    I assumed Apple would never update Safari 5.0.6 (part of the unsupported flotsam and jetsam), and that Leopard users won't get access to newer versions.  I assumed that when current version of Flash Player becomes obsolete Leopard users will need to download from Adobe, or move to Chrome.

  • Thomas Brierley Level 3 Level 3 (535 points)

    For the 7 pass erase the progress bar will just appear to go slower... i don't know weather or not the actual process does each block individually 7 times in a row or the entire drive 7 times in a row, but making the progress bar indicate the entire progress is trivial, and it would be absurd to code it differently.


    Disabling java is a good idea, most of the vulnerabilities on OS X (this one and previous ones) have been via java, the majority of apps do not use java, and the majority of websites do not use it ether. in fact the only non java vulnerability on OS X that wasn't patched before it was announced was the DNS vulnerability but that only really applied to people running DNS servers not those using public DNS servers.


    Disabling javascript on the other hand is pointless, like you said it's an entirely different language, and you can thank sun for all the confusion in the naming. while you will rarely notice any issues with java being disabled on the web, javascript is a pretty integral part of a lot of sites these days, and while some developers will give you backwards compatibility, it will be a reduced version of the site. Then some developers simply will not bother giving you a javascript free version, especially if it's integral to the site, it cost time to develop lost of different versions. I am one of those developers, and it seems arrogant, but the standardisation of the web has been a long time coming, and javascript is pretty much a requirement these days.


    Also in terms of security javascript is run in an entirely different way to java, disregarding the byte code vs interpreted part, java has a lot of native libraries that have root access... this is for performance, these are the libraries which had the vulnerabilities, and hence sand boxed java magically started F-ing stuff up.


    Javascript interpreters on the other hand are implemented much differently, admittedly however it will vary from browser to browser, so bugs and possible exploits aren't impossible, however they are far less likely and have less consequence, also the diversity of interpreters compared to the single java source makes it difficult to have a one fits all vulnerability.


    I would consider chrome again... the slowness you are experiencing may have nothing to do with safari specifically, unfortunately http just IS slow, and if you access websites that use lots of discrete http resources then things can get VERY slow.


    Chrome actually has the advantage here because they are pushing web technologies, so i would reconsider it, they wont be big brother unless you sign in on it and you have web history enabled... as a dumb browser it's just another browser, but a very fast one... the reason is 1, they have the fastest javascript interpreter... and that's because it's not an interpreter, it's a javascript compiler (V8), 2, they are pushing a new protocol called SPDY, instead of http which creates high latency due to web servers only allowing one request per ip per domain, SPDY is more inline with current web site needs and it's already deployed on some web servers... for those sites, you'd experience significantly faster loading than other browsers. 3, it's more secure... it has proper sand boxing, safari is supposed to have sand boxing but it was a bit of a fail, plugins aren't sand boxed, on chrome they are.


    no browser is perfect, but you will find a lot of developers recommend chrome, it's a good browser, good for the user and it also pushes web standards (which includes security).


    safari camino and chrome all use the same rendering engine (webkit) so things will render (look) the same, but it's the rest of the underlying technology which will make it faster and more secure (javascript compilers, sand boxing, better network protocols etc).


    Firefox used to be a bit of a star for eating away the market share of IE, and many people (myself included) are grateful for that, and while it has reasonably good compliance in terms of basic DOM stuff (which IE was crap at for years), it's not as good as people used to think for security and reliability. One massive problem is memory leaks, in this respect it's just as bad as IE.


    Safari is ok, it javascript interpreter is as good as firefox's, and i prefer the webkit rendering engine, but it's sand boxing is crap, and it does seem slow.

  • cyderspace Level 1 Level 1 (0 points)


    By coincidence I'm currently reading the book, 'Creeping Failure' (subtitled, 'How we broke the Internet and what we can do to fix it') by Jeffrey Hunker (© 2010 + updated with a new Preface on July 2011).

    Hunker advises to disable JavaScript.

    He is critical of many aspects of the current Internet (from careless consumers, through ISPs and Web sites to software producers).

    One of his comments (p 166):

    "But worse yet [worse than careless users], a lot of Web sites actually make it easier for attackers.  How many times have you gone to a Web site and been told that you have to enable JavaScript, or Active X, or have cookies enabled?  When you enable any of these programs, you are also putting your computer in an open configuration setting.  If the Web site's server has been compromised already, then the mere act of visiting it means that the HTML language that makes the site look so nice on your screen also contains a lot of hidden instructions to infect your computer.  Most users don't know this, and cheerfully go on enabling plug-ins or JavaScript or any functionality that makes visiting Web sites more enjoyable - and potentially corrupting.

    So what can be done?  There are a variety of approaches designed to save us from ourselves.  In August 2009 an industry group representing some of North America's largest banks (FS-ISAC, the Financial Services Information Sharing and Analysis Center mentioned in Chapter 6) advised commercial banking customers how they could help secure their online banking accounts.  The recommendation was draconian - customers should "carry out all on-line banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible."



    Hunker suggests AV software isn't particularly useful because the people who write code for viruses etc. are always one step ahead of the AV companies.


    The book is a good read; Scientific American recommended it (Nov 2010).



    I haven't visited many Web pages since disabling JavaScript, but my experience so far is that many pages have a no-JavaScript option because there seems to be a brief moment while the http adjusts, and then it downloads.  I'm less concerned about my Web experience than I am about my online security, so I'll probably continue to disable JavaScript during general surfing.



    Some general info about my experience with E&I (might be helpful for others):


    My install 'Disc 1' has Tiger OS X 10.4.10.  OS X 10.4.10 update was released 2 July 2007 (so 'Disc 1' was made after 2 July 2007).

    The Leopard upgrade DVD has 10.5

    From Wikipedia: Leopard 10.5 was released 26 October 2007.


    When I ran SU after installing OS X 10.4.10 + bundled software (from Discs 1 & 2) it listed the following:

    • Compatibility Update for Quic [this was the abbreviation in SU]; Version = 1.0;  Size = 18.7MB
    • Macbook Pro Software Update;  Version = 1.2;  Size = 14.9MB
    • Java for Mac OS X 10.4 Release 6;  Version = 1.0;  Size = 80.7MB
    • Mac OS X Update (Intel);  Version = 10.4.11;  Size = 131MB


    A number of other items were also listed but, from previous E&I, I knew they would be listed again after I installed Leopard 10.5 upgrade (from DVD).


    I installed the four updates listed above using dmg's that I downloaded from Apple Download page.  It was easy to locate the last three dmg's (via search on Download page) but I had to guess what 'Compatibility Update for Quic Version 1.0' was.  The dmg for 'Compatibility Update for Quicktime 7.2' (18.1MB, released 11 Sept 2007) seemed to be only option.  I installed that.  Before installing Leopard upgrade from DVD I ran SU again.  It listed 'Compatibility for Quic Version 1.0 Size 18.7MB' again, so I have no idea what I was supposed to install.  I gave up and moved on to install Leopard 10.5 upgrade from DVD.   (If I do another E&I in future I will select the 'Compatibility Update for Quic Version 1.0' in SU and install from SU.)


    • Macbook Pro Software Update 1.2 was released 1 November 2007
    • Java for Mac OS X 10.4 Release 6 was released 13 December 2007
    • Mac OS X Update 10.4.11 was released 14 November 2007


    I don't think I needed to install the above three updates because 10.5 was released before them.


    Installing one or all of the above three updates (which post-dated Leopard 10.5 release on 26 Oct 2007) seems to have caused SU to malfunction after I installed Leopard 10.5 upgrade.  SU should have listed Quicktime 7.7 but it didn't list any Quicktime update.  This caused SU to then overlook updates for iPhoto and some other apps (which I detailed in my April 29 comment in this thread).


    Everything seems to work properly, so hopefully I have a lot of hassle-free computing ahead before I need to revisit E&I.