[Cryptography] Magnetic media destruction question

[Christian Huitema]

On 1/7/2026 8:36 AM, Peter Gutmann via cryptography wrote:

> Asking on behalf of a third party: It appears that customers of media
> destruction companies have started asking for shredding beyond the maximum
> levels specified in standards like DIN 66399, which is both difficult and
> expensive to achieve (additional processing stages, higher energy consumption,
> increased wear on equipment, etc).  Does anyone know what's driving this, is
> it just the usual numerology approach to security?  It's hard to see how
> anyone would be able to identify which of the million pieces of confetti in a
> tub of shredded media are worth looking at let alone be able to recover
> anything from the one piece of confetti they've picked out, which would
> indicate it's been driven by numerology rather than actual threat analysis.
>
> Are there any security standards that mandate beyond-DIN 66399 T-7 shredding?
> And what threat modelling is being done that would imply someone can recover
> data off a piece of confetti buried in among a million others?


It is certainly possible to put back together shredded documents from 
the confetti. The Islamic revolutionaries did just that in 1979. See for 
example 
https://en.wikisource.org/wiki/Portal:Documents_seized_from_the_U.S._Embassy_in_Tehran. 
The top banner of that site says "A large number of documents, some 
already shredded <https://en.wikipedia.org/wiki/Paper_shredder>, were 
seized by Iranian Islamists <https://en.wikipedia.org/wiki/Islamism> 
during their 1979 occupation of the U.S. Embassy in Tehran 
<https://en.wikipedia.org/wiki/Iran_hostage_crisis>. They were pieced 
together and made public". I suppose that modern spies would take 
pictures of the confetti and feed that to a big computer instead of 
doing it manually.

The plausible defense is "shred then burn". As an individual, shred the 
documents, put the confetti in a pail, throw a match.

-- Christian Huitema