Q: Secure Empty Trash missing on El Capitan

Probably not - and here is why: Secure Empty Trash missing on El Capitan

Preaching to the choir BigB...

Hi. what do you think about apps of secure delete trash (from app store) like file shredder or similar. they do the work like mac do in yosemite?

thanks

They are subject to the same limitations several of us have already mentioned. They are just GUI "front ends" to make it easier to use the built-in "back end" commands already in the OS & accessible from the command line.

Now correct me if I'm wrong, but....

Secure empty trash is different than empty trash in more than one way.

The most import is that is wipes clean the data several times with zero's so that it can't be recovered.  Which is what I believe is now missing.

There was also a different feature where some application would leave a file locked an you could over ride this lock.

That might be the 'bad' idea you are referring to.

BrianJohnOBrien wrote:

Now correct me if I'm wrong, but....

Secure empty trash is different than empty trash in more than one way.

The most import is that is wipes clean the data several times with zero's so that it can't be recovered.  Which is what I believe is now missing.

As has been mentioned a couple of times in this discussion, writing zeros (or any other data pattern) to a SSD does not necessarily overwrite the memory cells that were previously storing that data (because of wear leveling). Unnecessarily writing a data pattern multiple times to a SSD may in fact wear it out a little quicker than would otherwise be the case.

It is different for mechanical hard drives but even for them there are some situations where "zeroing" the sectors holding the file's current data won't necessarily overwrite every sector holding some of its data left on the drive from a previously saved copy or because the drive was defragmented.

Not quite. There is no shortage of bad ideas in this Discussion, but you can find a handful of rational explanations that illustrate the reason "secure empty trash" was removed.

To fully appreciate the reasons requires understanding the various methods in which files are stored. If it were as simple as your example — repetitiously writing "zeros" (or any random data, for that matter) to magnetic media using a known file storage system — then reasonable assurance of irrecoverable data destruction could be provided. But it's not that simple. Electrically erasable memory and its flash implementation does not use magnetic domains in physical locations, so there is no benefit to changing their charge state any more than just once. The problem with repetitious rewriting is that flash memory has a finite number of write / erase cycles. It's a very large number, but it's still finite. Therefore flash memory requires a variety of techniques to ensure that all its cells are utilized more or less equally, to maximize its useful life.

Forget about flash memory and SSDs for now though, those reasons have been beaten to death. What about traditional hard disk drives? Can't Apple implement "secure empty trash" for people whose Macs still use them? Again the answer is not that simple. Hard disk drives are not write-cycle limited, but they suffer from other failure modes that cause entire sectors to eventually become unreliable. Firmware that controls hard disk drives automatically detects those failed sectors and prevents them from being used, writing data to sectors that remain usable. What happens to those "bad" sectors? Good question. Whatever data they contained remains, permanently inaccessible to the higher level devices that used to be able to write to and subsequently read from those sectors — including, you guessed it — "secure empty trash". Data recovery equipment and methods exist to circumvent that firmware and retrieve that "secure" data. They're expensive and time-consuming to use, but it illustrates one reason "secure empty trash" was little more than a placebo even for traditional hard disk drives. The general public might learn more about that in some upcoming Congressional testimony. Probably not though.

It gets worse. What about "fusion drives" that combine a traditional spinning hard disk with flash memory? Good question. What gets stored, and where? Fusion Drives used by Apple control that in their own firmware, again beyond the reach of OS X's ability to assure irrecoverable data destruction should that be desired.

Had enough yet? What happens when someone decides to build his own "fusion drive" from any generic hard disk and SSD (it's not difficult) and retrofit that to a Mac, either internally or otherwise. They don't have the benefit of Apple's proprietary firmware controlling them. Should a "secure empty trash" option be provided for them, knowing full well that it could not possibly assure irrecoverable data destruction?

Heard enough yet? There's more. What about all those third party kernel extensions that allow a Mac user to write to NTFS formatted drives, that otherwise can't be done with OS X? Good question. What about other file storage systems, that don't even permit overwriting of files (they exist)? Should Apple provide "secure empty trash" for every possible implementation of file storage systems completely beyond their control? Could they even do that? Is it even Apple's business to know how their customers choose to store their files anyway? Maybe Apple should simply eliminate the ability to alter the kernel. I surmise that would raise a lot more ire than this pathetic subject. Be careful what you ask for.

If Apple provides a method in OS X to "securely" delete files their customers have a reasonable expectation that it should do exactly that. For them to retain it knowing it can't reliably accomplish what their customers expect of it would be irresponsible.

Scroll back and read the posts by NBW and R C-R including the links they provided. There are others and I do not mean to omit anyone in particular. What is surprising to me is the degree to which people demand their placebo — which is all "secure empty trash" ever was. Unfortunately I now foresee an entire cottage industry of opportunistic App Store developers selling 99¢ utilities to wrap a GUI around srm and accompany it with clever cartoon animations and "shredder" sound effects, preserving the illusion. Those things are very popular and really lucrative. Don't forget advertisement revenue.

The original reply to this Discussion remains the most viable option for anyone working with secure documents: "If you are working with sensitive files whose content must be secure from unauthorized access, use FileVault." It has always been so, well before Apple decided to remove "secure empty trash".

John Galt wrote:

What about traditional hard disk drives? Can't Apple implement "secure empty trash" for people whose Macs still use them? Again the answer is not that simple. Hard disk drives are not write-cycle limited, but they suffer from other failure modes that cause entire sectors to eventually become unreliable. Firmware that controls hard disk drives automatically detects those failed sectors and prevents them from being used, writing data to sectors that remain usable. What happens to those "bad" sectors? Good question. Whatever data they contained remains, permanently inaccessible to the higher level devices that used to be able to write to and subsequently read from those sectors — including, you guessed it — "secure empty trash".

FWIW, once this problem was well understood some years ago, a new command was added to the ATA command set that would overwrite even the normally inaccessible "bad" sectors ... but not every drive manufactured since then implements it to begin with, & it is a "whole disk" operation, not something that can be used just to selectively overwrite just the sectors used by trashed files.

I have no idea if Apple has ever supported this command, but regardless of that it is just one more example of why secure erase is never as simple as it seems & not something users should ever rely on to keep sensitive data from being recoverable.

?? This re ‘Cocktail’    I don’t see it addressed anywhere on following pages of comments? 

LDoza45 wrote:

?? This re ‘Cocktail’    I don’t see it addressed anywhere on following pages of comments? 

If you mean the Cocktail El Capitan Edition secure empty trash option, the same considerations & limitations apply to it that John Galt (& others) have written about in the discussion in increasing levels of technical detail.

The bottom line remains the same whether you are considering a builtin OS X function or one offered by a third party utility: for modern storage devices there is no reliable way to securely erase all traces of trashed files. To keep your data secure, use strong encryption.

No Apple won't as per their posting:

Thanks for stating the obvious John Galt but I don't think you've bothered to understand what the real problem was. And just as we see elsewhere the impressionable (here's looking at you R-C-R) are jumping on the bandwagon and spreading your sermon as the WORD.

The problem simply stated is that in deciding to get rid of "Secure Empty Trash" from the OS GUI without any warning to the gullible upgrader, Apple, yet again, took away a convenience that Joe User had gotten used to, leaving it up to their preachers, such as yourself, to round up the flock and get them in line.

No one's debating the occupation of physical address space on a storage system or whether encryption algorithms are what they claim to be - fort meade backdoors anyone ?

While I don't personally drink kool aid much, for those that do want to mimic "Secure Empty Trash", the real thing is gone but you can still get the next best thing and that too in a few different flavors as below - and set it up as an alias, you won't even have to type the few extra tabs...

1. rm -rP /<path>
2. srm -rfv -s /path (try the m and z switches for more options)
3. diskutil secureErase freespace LEVEL /Volumes/<drive>

That took me about ten minutes. You can do it too. Knock yourself out.

!cultOfApple wrote:

 

Thanks for stating the obvious John Galt but I don't think you've bothered to understand what the real problem was.

The real problem is that there is no reliable way to securely empty the trash on modern drives. This includes using Terminal commands, which cannot magically overcome the underlying hardware issues in the drives themselves that make it an unreliable procedure.

Did you read what I wrote because if you had, you'd notice that I'm not suggesting what you're claiming I am. Ditto RCR.