Secure Empty Trash missing on El Capitan

lcawkins wrote:

I just go up to the secure empty and it empties the files for me.

Not in El Capitan. That feature has been removed because it isn't reliable.

Sometimes I think the developers don't ask the users enough questions about their programs before they decide to remove a feature and we find out after the fact whether it's a legal issue or not. It shouldn't be when users revolt that things get changed back in the next version.

The feature does not work on SSDs at all. This is because of how the hardware in SSDs work, & there is nothing software developers can do about that. Revolt all you want. It won't change how the hardware works in the slightest.

This has been explained in great detail in this long topic, including multiple references to technical papers that explain exactly why it does not.

R C-R wrote:

The feature does not work on SSDs at all. This is because of how the hardware in SSDs work, & there is nothing software developers can do about that.

I wouldn't bet money on that, but then my level of hubris is lower than yours.

Oh for pete sakes.. don't tell me there is no way to detect if the drive is encrypted/solid state or not.

Bob, I am totally confused by your post. I have a file I have worked on, don't want anymore and I put in the trash. When I go to empty the trash it won't empty because it says its either active or locked. I just go up to the secure empty and it empties the files for me. What legal liability are you talking about? It's not a secure file that I'm deleting, but just a regular file.

It says "Secure" empty trash, and it is NOT Secure! That is the liability.

If I <Quote> Secure Erase <Unquote> some sensitive information, then my information is recovered recovered from a temporary file my editor was using, or the disk decided to replace a sector with my information on it and the juicy bits were still on the remapped sector, or any number of failures in hardware and software that could occur to prevent the data from truly being securely deleted, and that information was used against me, I could make a good claim that Apple was at fault and Apple should make me "Whole" financially.

That kind of liability. If Apple lawyers are not loosing sleep worrying about Finder "Secure Erase", they should be.

BrianJohnOBrien wrote:

Oh for pete sakes.. don't tell me there is no way to detect if the drive is encrypted/solid state or not.

Actually, detecting if a drive is solid state or not is already being done in recent OS X releases, including El Capitan. But as John Galt pointed out almost a month ago on page 7 of this discussion, securely erasing the trash isn't that simple, even for mechanical drives. Basically, as long as the drive itself determines when to take a sector out of service & make it unavailable to the OS (& all modern ones do this) a secure erase cannot be guaranteed.

Satchmo wrote:

R C-R wrote:

The feature does not work on SSDs at all. This is because of how the hardware in SSDs work, & there is nothing software developers can do about that.

I wouldn't bet money on that, but then my level of hubris is lower than yours.

It has nothing to do with hubris. It has everything to do with empirical evidence gathered by researchers who have tested real world SSDs & discovered that in none of them does securely deleting individual files on SSDs actually work. See for example Reliably Erasing Data From Flash-Based Solid State Drives, which goes into great detail about why this is true, & why even whole device secure erases often fail to sanitize solid state devices.

The best software developers can do is support the ATA Secure Erase (SE) extensions, which depend on the SSD's firmware to overwrite every cell to implement a whole device secure erase. Unfortunately, supporting the SE extensions is optional for both mechanical & solid state drives, & there is no way to determine what exactly the device actually does in response to the Security Erase Unit command (the one that actually is supposed to perform the overwrite) even when the extensions are supported. In fact, as the above cited paper (among other sources) makes clear, sometimes it does nothing at all, or does not touch the reserved over provisioning blocks.

IOW, it is up to the makers of SSDs to solve this problem. Even if they do, there is no practical way to apply whatever their solution might be to all the existing SSDs out there already in use.

That's the long version. The short one is what several of us (not to mention Apple) have been saying all along: there is no way to guarantee that the secure empty trash function does what it is supposed to do.

How to Empty YourTrash on El Capitan without “Secure Empty Trash” AND How to Empty All THREE of Your Caches

1. 1. Open Icon for “Trash” under "Finder" as you have in the past and click and hold down the “Shift” key (I use the left sided “Shift”, but I’m not sure it matters), then choose the “Empty Trash” option, release both keys at the same time and your trash SHOULD be emptied.

2. 2. When unable to empty trash due to an "-8072" error code, open the “TERMINAL” application using the spotlight and type in: sudo rm -rf. Then drag whatever file(s) that need to be deleted into the terminal and hit “Return”. If “Password” is requested, type in the password you use to make any changes on your computer. Important: You will NOT be able to see any letters or icons as you type in your password, but the information WILL be entered. Then hit “Return” and the original command (to empty the file(s) when you encountered the -8072 error code) should be completed.

3. 3. When using “Finder” to empty your caches, instead of “Move to trash” on the “File” pulldown, hit the “OPTION” key and under “File” select “DELETE IMMEDIATELY. This allows you to skip the step of emptying your trash with potentially difficult files to delete. Just be SURE that you are not deleting anything important. This step is irrevocable. This step does not always work, so be prepared to move everything in your cache(s) to the trash and deal with emptying your trash using some of the steps described above.

4. 4. Remember: there are THREE caches that should be emptied on a regular basis to keep your computer working smoothly (if you use “Safari” as your web browser). The first: open “Finder” and then open the “Go” pulldown. Under “Go”, select “Computer” and open it. I prefer my view to be in “Columns” (you may select your view preference to be: ‘icons’, ‘list’, ‘columns’, or ‘Cover Flow’— at the top of the page under “View”". ‘Columns’ is the second option from the left.) Once you’ve opened "Computer", choose "Macintosh HD", then select ‘Library’ in the column next to your disc options. Select “Caches” in the as your selection when “Library” is opened. You will see a list of items in this cache. Instead of moving each individual item EITHER to the trash OR “delete immediately” (noted above), go to “Edit” in your “Finder” options and choose “Select All”. At this point, all of the items in your cache should be highlighted. Go to “File” in “Finder” and choose one of the two options described above in number 3; you can either “Delete Immediately” (sometimes you will not be able to delete certain items and the best thing to do is to simply “Move to trash” and deal with the items later) OR “Move to trash”. Be aware that when emptying this cache, if you do not choose to “Delete Immediately”, you will be asked to type in your password to complete moving everything to the trash. The next cache to be emptied can be opened by again choosing “Go” in “Finder”, holding down the “Option” key and choosing “Library” in the pulldown. If you do not hold down the "Option" key, you will not see "Library" under "Go". Again, I prefer the ‘columns’ view (but any view will work). “Library” will appear slightly grayed out, but will present you with multiple options. Open “Caches” and again using “Edit” in “Finder”, choose “Select all” to highlight everything in this cache. Go to “File” in “Finder” and choose one of the two options described above in number 3; you can either “Delete Immediately” (again, this option may not work and you should just choose “Move to trash” and deal with these items later using some of the alternatives listed above.) The third cache is in your Safari browser (if you use Safari). Open “Safari” and choose the option at the top of the page, “Develop”. Use the pulldown and find “Empty caches”. When the time comes to empty ALL of your trash, if you are using the newest OS, El Capitan, “Secure Empty Trash” is no longer available. To empty your trash, open “Finder” again and under the WORD “Finder”, use the pulldown and choose “Empty Trash”. Even if you have closed every application on your desktop, you may find it difficult to open your trash. This is where options outlined in numbers 1, 2, and 3 above may come in handy. Good luck and happy cleaning/emptying!

Alex2340 wrote:

4. Remember: there are THREE caches that should be emptied on a regular basis to keep your computer working smoothly (if you use “Safari” as your web browser).

Nonsense. There is no need to regularly empty caches to keep a Mac working smoothly. Caches are used to increase performance & every time you delete one the system has to rebuild it, slowing things down until it is rebuilt.

I have files that aren't a national secret that I am not that worried about while I'm using them on my computer but when I delete them I want to Secure Delete. It was good all those years?

Just stupid! I'm sure the people who have files that are THAT sensitive would know that they need to encrypt the disc.

Besides after issues they had before with File Vault I have stayed well clear of it.

<Edited by Host>

ratz2plt wrote:

I have files that aren't a national secret that I am not that worried about while I'm using them on my computer but when I delete them I want to Secure Delete. It was good all those years?

Actually, it quite possibly was not. About the security content of OS X El Capitan v10.11 - Apple Support includes this entry:

Finder

Available for: Mac OS X v10.6.8 and later

Impact: The "Secure Empty Trash" feature may not securely delete files placed in the Trash

Description: An issue existed in guaranteeing secure deletion of Trash files on some systems, such as those with flash storage. This issue was addressed by removing the "Secure Empty Trash" option.

CVE-ID

CVE-2015-5901 : Apple

The detail page for the CVE-2015-5901 NIST entry in part says this (emphasis added):

The Secure Empty Trash feature in Finder in Apple OS X before 10.11 improperly deletes Trash files, which might allow local users to obtain sensitive information by reading storage media, as demonstrated by reading a flash drive.

IOW, in no OS X version can secure deletion of Trash files be guaranteed. It does not work for flash drives (SSDs) & while it still should for mechanical HD's, it does not delete all traces of the file's data that might still be present in some sector(s) on the drive other than the ones used for the trashed file.

For mechanical HD's only, a secure delete of the entire volume eliminates all traces of the file's data except what might still be present in sectors mapped out as bad (which can be accessed, but not easily) & that feature is still supported in Disk Utility (but only for mechanical drives).

ratz2plt wrote:

I have files that aren't a national secret that I am not that worried about while I'm using them on my computer but when I delete them I want to Secure Delete. It was good all those years?

Just stupid! I'm sure the people who have files that are THAT sensitive would know that they need to encrypt the disc.

Besides after issues they had before with File Vault I have stayed well clear of it.

<Edited by Host>

If it is that important to you, then write a Automator drag & drop app that passes the files you drop onto the app to the Terminal 'srm' command. STORNGLY suggest against doing this if you have an SSD drive, as it will not do what you want, and needlessly shorten the life of your SSD.

Chances are someone has already created a App for That, so you do not even need to roll your own.

As for FileVault, the version 1 was a problem, but since FileVault version 2, it is has been rather good. I have been watching these forums for years, and I have seen very few FileVault version 2 issues. Mostly someone lost their decryption key, or they inherited a Mac and do not have the password to decrypt the drive. But out and out failures have not been an issue.

But it is your Mac and you can use it as you like.

BobHarris wrote:

If it is that important to you, then write a Automator drag & drop app that passes the files you drop onto the app to the Terminal 'srm' command.

There is no guarantee that srm will overwrite all traces of the file's data that might still be present somewhere on the drive. All it will do is overwrite whatever the file system says is the current location of the file.

R C-R wrote:

BobHarris wrote:

If it is that important to you, then write a Automator drag & drop app that passes the files you drop onto the app to the Terminal 'srm' command.

There is no guarantee that srm will overwrite all traces of the file's data that might still be present somewhere on the drive. All it will do is overwrite whatever the file system says is the current location of the file.

Of course not. But some people feel good even when taking a placebo.

Bad sectors are still accessible to skilled people. Application cache, scratch, or temporary files are still going to be accessible to the skilled. If the file system has defragmented the file, the original storage is still in the clear. If a Fusion drive moves the file from the SSD side to the rotating disk size, the original storage is still in the clear. And of course SSDs never re-write the sector the data came from, it always allocates a new sector for the write.

There are so many holes in the secure erase model, anyone that is serious about protecting their data will be using FileVault. But as this thread (and other similar titled threads) shows, no matter how many times we explain that it is not a secure erase (and I write file systems for a living and really do understand how the user is not in control of the storage), they still want secure erase back. 😟

I have the perfect solution: simply add the word 'secure' back into the command - mind you, no change in how it currently works, just change the name. Everyone will be happy.

babowa wrote:

I have the perfect solution: simply add the word 'secure' back into the command - mind you, no change in how it currently works, just change the name. Everyone will be happy.

That's just a little bit evil. 😉

I think the lawyers wouldn't be happy but, well, they're lawyers.