Patterns
- Active Warnings
- Attractive Options
- Complete Delete
- Conveying Threats & Consequences
- Create a Security Lexicon
- Create Keys When Needed
- Delayed Unrecoverable Action
- Detailed Notifications About Security
- Direct Access to UI Components
- Disable by Default
- Disable of Services
- Disclose Significant Deviations
- Distinguish Between Run and Open
- Distinguish Internal Senders
- Distinguish Security Levels
- Email-Based Identification and Authentication
- Explicit Item Delete
- Explicit User Audit
- Failing Safely
- General Notifications About Security
- Immediate Notifications
- Immediate Options
- Indirect Access to UI Components
- Informative Dialogues
- Install Before Execute
- Key Continuity Management
- Levels of Severity
- Leverage Existing Identification
- Localization of Specific Areas
- Migrate and Backup Keys
- Noticeable Contextual Indicators
- Providing Recommendations
- Quick Description of UI Components
- Redundant Notifications
- Reset to Installation
- Restricted Areas Notification
- Security Features Used by the System
- Security Features Used by the User
- Send S/MIME-Signed Email
- Separating Content
- Sequential Access to UI Components
- Suggestive Dialogues
- System’s Security Tasks
- The Absence of Indicators
- Track Received Keys
- Track Recipients
- Warn When Unsafe
Patterns are based on scientific sources.
Usable Security Pattern - Complete Delete
Luigi Lo Iacono, Peter Nehren
December 21, 2015
Complete Delete
| Name | Complete Delete |
| Sources | (Garfinkel, 2005) |
| Synonyms | None |
| Context | Frequently deleting information does not erase all of the copies in the computer: hidden data remains from which the user’s desire to erase information can be subverted. |
| Problem | How to ensure that information that is deleted cannot be recovered? |
| Solution | Ensure that when the user deletes the visible representation of something, the hidden representations are deleted as well. |
| Examples | Apple implements Complete Delete, albeit poorly, in the MacOS 10.3 “Secure Empty Trash” command. Microsoft’s Cipher.exe command can be used to overwrite slack space.  Source: (Garfinkel, 2005) |
| Implementation | Complete Delete is implemented by determining what information stored in the computer system corresponds to the user’s notion of the object being deleted, then overwriting the storage media that holds that information so that the data cannot be recovered. While Complete Delete cannot be implemented for information that is stored offline, the results of Complete Delete can be achieved by encrypting offline information and then using Complete Delete to erase the encryption key. |
| Consequences | Prevents forensic analysis from being able to recover information that has been intentionally deleted. Forces designers and organizations to clearly articulate their strategy for maintaining backups and who has access to that information. |
| Dependencies | None |
| Relationships | [Delayed Unrecoverable Action] [Explicit Item Delete] |
| Principles | [Least Surprise] |
| Guidelines | None |
| Check lists | None |
| Use cases | None |
| Tags | Complete Delete, Unrecoverable Action, Explicit Item Delete, Confidentiality |
| Log history | [12/21/2015]: Added to repository |
References
Garfinkel, S.L., 2005. Design principles and patterns for computer systems that are simultaneously secure and usable (PhD thesis). Massachusetts Institute of Technology.