US DHS US-CERT has new advice, including this excerpt:
ST18-005: Proper Disposal of Electronic Devices
Deleting Data: Removing data from your device can be one method of sanitization. When you delete files from a device—although the files may appear to have been removed—data remains on the media even after a delete or format command is executed. Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting “delete” from the menu. Even if you empty the trash, the deleted files are still on device and can be retrieved. Permanent data deletion requires several steps. Computers: Use a disk cleaning software designed to permanently remove the data stored on a computer hard drive to prevent the possibility of recovery.
* Secure erase. This is a set of commands in the firmware of most computer hard drives. If you select a program that runs the secure erase command set, it will erase the data by overwriting all areas of the hard drive.
* Disk wiping. This is a utility that erases sensitive information on hard drives and securely wipes flash drives and secure digital cards.
[…]
https://www.us-cert.gov/ncas/tips/ST18-005
It would be nice if it mentioned resetting system firmware, ensuring no user account information is on system. The above discussion is all about data on the hard drive. You can replace the hard drive and the firmware data will remain. Then again, if you’re disposing of a system, you may not care if the new owner inherits your bootkits (you probably didn’t know about the bootkits in the first place). But if you’re at the receiving end of second-hand — aka ‘grey market’, used — hardware, you should not trust the firmware, and only accept the hardware if the manufacturer has tools and images to let you restore the firmware back to a known-good-state.
