Improve Panic Button/provide Wipe Button to wipe files and recommend purging with fire
For the TBB Panic Button in #4107 (closed), we decided against extensive efforts to wipe the TBB directory because it would be exceedingly difficult to do it correctly in the face of all adversaries.
However, this doesn't mean that in the happy future, we shouldn't make some attempt to wipe the contents of the TBB dir.
In the face of risk/reward vs time spent on wiping, I think the following OS-agnostic protocol is optimal:
- Overwrite each file with ONE PASS of 0's or pseudorandom stream.
- Rename each file to pseudorandom name
- Rename each directory to pseudorandom name
- rm -rf .
For any situation that requires more effort or time than this, we should recommend fire and/or acid. Perhaps we should even tell the user they should consider fire as a backup measure in a nice dialog before or after the wipe is complete.
Otherwise, this should be sufficient to deter a low-funded adversary with access to Norton Utilities Unerase and the like.
This mode probably should be a different option than the Panic Button, because even one pass of zeroes or psuedorandom data will take a while. In some situations (such as those that would require a Panic Button) you might not have that luxury.